>Number: 42923
>Category: bin
>Synopsis: pppd(8) catches SIGSEGV after IPv6CP link is up
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 05 07:50:00 +0000 2010
>Originator: Takahiro Hayashi
>Release: NetBSD-current 5.99.24 checked out on Feb 25 02:59:20 GMT 2010
>Organization:
>Environment:
System: NetBSD halt 5.99.24 NetBSD 5.99.24 (UNION) #2: Tue Mar 2 09:16:58 JST
2010 root@peer:/usr/build/obj.i386/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:
pppd(8) catches SIGSEGV while it configures pppN interface.
This happens when only IPv6CP link is up.
In pppd/pppd/sys-bsd.c the ipv6 prefixmask of interface is
memset(), however, the specified address is beyond the size
of structure (see below patch).
>How-To-Repeat:
Configure pppd to establish IPv6CP link and start it.
>Fix:
This patch may help.
Index: usr.sbin/pppd/pppd/sys-bsd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/pppd/pppd/sys-bsd.c,v
retrieving revision 1.61
diff -u -u -r1.61 sys-bsd.c
--- usr.sbin/pppd/pppd/sys-bsd.c 14 Nov 2009 04:47:03 -0000 1.61
+++ usr.sbin/pppd/pppd/sys-bsd.c 5 Mar 2010 06:11:51 -0000
@@ -793,9 +793,9 @@
addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6);
memset(&addreq6.ifra_prefixmask.sin6_addr, 0xff,
sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64));
- memset(&addreq6.ifra_prefixmask.sin6_addr +
- sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64), 0x00,
- sizeof(our_eui64));
+ memset(&addreq6.ifra_prefixmask.sin6_addr.s6_addr
+ [sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64)],
+ 0x00, sizeof(our_eui64));
/* address lifetime (infty) */
addreq6.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME;
--
Takahiro Hayashi <hash%abox3.so-net.ne.jp@localhost>