>Number:         2183
>Category:       kern
>Synopsis:       "route" command can panic kernel
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar  6 17:50:03 1996
>Last-Modified:
>Originator:     Chuck Cranor <chuck@maria.wustl.edu>
>Organization:
Computer and Communications Research Center
Washington University, St. Louis MO  USA
>Release:        NetBSD-current March 6th 1996.
>Environment:
		seems to be an MI bug

>Description:

	the "route" command can panic the kernel with certain args

>How-To-Repeat:

	assuming 128.252.169 is your local net and le0 is your net interface:

		route add 128.252.169.88 -link le0:1.2.3.4.5.6

	will cause a reference through NULL in ifa_ifwithdstaddr() because
	ifa->ifa_dstaddr is NULL and is being passed to the equal() macro
	(which in turn calls bcmp).


>Fix:

*** if.c_ORIG	Wed Mar  6 11:04:15 1996
--- if.c	Wed Mar  6 16:11:54 1996
***************
*** 181,186 ****
--- 181,188 ----
  		for (ifa = ifp->if_addrlist.tqh_first; ifa != 0; ifa = ifa->ifa_list.tqe_next) {
  			if (ifa->ifa_addr->sa_family != addr->sa_family)
  				continue;
+ 			if (ifa->ifa_dstaddr == NULL)
+ 				continue;
  			if (equal(addr, ifa->ifa_dstaddr))
  				return (ifa);
  	}
>Audit-Trail:
>Unformatted: