bin/43881: rtadvd crashes when interfaces are created

[mlelstv%serpens.de@localhost]

>Number:         43881
>Category:       bin
>Synopsis:       rtadvd crashes when interfaces are created
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 15 05:25:00 +0000 2010
>Originator:     Michael van Elst
>Release:        NetBSD 4.0_STABLE
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."
>Environment:
        
        
System: NetBSD henery 4.0_STABLE NetBSD 4.0_STABLE (HENERY) #33: Sat Sep 4 
13:49:00 CEST 2010 
mlelstv@henery:/home/netbsd4/obj.i386/home/netbsd4/src/sys/arch/i386/compile/HENERY
 i386
Architecture: i386
Machine: i386
>Description:
rtadvd dumped core after destroying and creating IPv6 interfaces.

The coredump showed that the crash happens in rtavd_input.

#0  0x08049fa8 in rtadvd_input ()
#1  0x0804af0d in main ()

eip            0x8049fa8        0x8049fa8 <rtadvd_input+308>

In particular:

        if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {

uses a NULL pointer.

Iflist is a table created once in init_iflist() and filled sparsely
with kernel data.  Data for unused interface indexes is not initialized
(but happens to be zero). The assumption is probably that all indexes
are used.

rtadvd_input() does only some crude sanity checking by ignoring
messages from interface index zero. It doesn't validate the index
against the table size and it may use uninitialized entries.

N.B. the same code is in -current.

>How-To-Repeat:
Start rtadvd, create new interfaces that accept routing advertisements.

>Fix:
        

>Unformatted: