Subject: ifa_rtrequest with unsafe typecast
To: None <>
From: Jun-ichiro itojun Hagino <>
List: tech-net
Date: 01/15/2001 17:24:34
	at the very end of sys/net/route.c:rtrequest(), we have lines like this:

>#define SA(p) ((struct sockaddr *)(p))
>	if (ifa->ifa_rtrequest)
>		ifa->ifa_rtrequest(req, rt, SA(ret_nrt ? *ret_nrt : 0));

	ret_nrt is typed as struct rtentry **, so we are casting rtentry *
	into sockaddr *.  it does not make sense at all.  if the very first
	element of struct rtentry is sockaddr, it does.  if any of you have
	older source code tree, please check...
	the lines are straight from 4.4BSD i believe (see p611 of TCP/IP
	illustrated vol 2).

	the only code which touches the 3rd argument to ifa->ifa_rtrequest
	is sys/netiso/if_eon.c:eonrtrequest(), and it assumes that the
	type is sockaddr.  so if we visit the above line and visit
	eonrtrequest(), i believe we will be in trouble.

	I have checked other BSDs too, and the result was like this:
	- freebsd{228,35,42}, openbsd15, bsdi31: same us netbsd
	- bsdi4: 3rd argument type of ifa_rtrequest() is changed to
	  rt_addrinfo * (i believe it came from 4.4BSD change?).
	  eonrtrequest() is left behind (netiso is not supported, it seems)