Hi,
By passing invalid rtm_flags and rtm_addrs values in the routing
message, I can crash the kernel from user land.
login: uvm_fault(0xfffffe800554b388, 0x4, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff812312d7 cs 8 rflags 246 cr2 4 cpl 5 rsp
ffff8000039de8a0
panic: trap type 6, code=0, pc=ffffffff812312d7
Starting stack trace...
panic() at panic+0xfb
trap() at trap+0x710
--- trap (number 6) ---
arp_rtrequest() at arp_rtrequest+0xc7
rtrequest1() at rtrequest1+0x56d
route_output() at route_output+0x815
raw_usrreq() at raw_usrreq+0x227
route_usrreq() at route_usrreq+0x6e
sosend() at sosend+0x466
dofilewritev() at dofilewritev+0x18b
sys_write() at sys_write+0x8f
syscall() at syscall+0x162
--- syscall (number 4) ---
end of kernel
end trace frame: 0x8439e0, count: 246
acpi_pdirpa+0x400a0a:
End of stack trace.
This diff prevents the crash.
ok?
bluhm
Index: netinet/if_ether.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.107
diff -u -p -u -p -r1.107 if_ether.c
--- netinet/if_ether.c 3 Sep 2013 10:25:32 -0000 1.107
+++ netinet/if_ether.c 14 Oct 2013 13:09:40 -0000
@@ -191,7 +191,7 @@ arp_rtrequest(int req, struct rtentry *r
* such as older version of routed or gated might provide,
* restore cloning bit.
*/
- if ((rt->rt_flags & RTF_HOST) == 0 &&
+ if ((rt->rt_flags & RTF_HOST) == 0 && rt_mask(rt) &&
satosin(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
rt->rt_flags |= RTF_CLONING;
if (rt->rt_flags & RTF_CLONING) {
