NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/47311: rtadvd(8) crashes when RA arrives on a newly created interface

>Number:         47311
>Category:       bin
>Synopsis:       rtadvd(8) crashes when RA arrives on a newly created interface
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 11 14:55:00 +0000 2012
>Originator:     Valery Ushakov
>Release:        NetBSD 6
NetBSD amd64 6.0_STABLE NetBSD 6.0_STABLE (GENERIC) #0: Sun Nov 18 04:21:07 MSK 

When rtadvd(8) is up and running and a new interface is created behind
its back it doesn't notice that.  When later an RA arrives on a new
interface rtadvd(8) crashes at rtadvd.c:617 (line number as of rev. 1.38):

  if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {

where pi->ipi6_ifindex names a new interface and it's out of bounds for 
iflist[] array that was populated before the new interface was created.

I don't have a ready test case to reproduce it.  What I'm doing is I'm
playing with lwIP stack using tap(4) bridge(4)'ed to the real ethernet.

The system has


in rc.conf(5) so rtadvd(8) is started at boot.  Later I create a tap interface 
bridged to wm1 and run lwIP on that tap.  When my lwIP app sends its first RA 
out on tap, rtadvd(8) crashes as described.

To reproduce this it's probably easiest to just create/open a tap and send 
canned ethernet frame with RA packet in it.


Home | Main Index | Thread Index | Old Index