[Bug 271573] [panic] ip_output->in_ifaddr_broadcast NULL pointer dereference after route change
Date: Mon, 22 May 2023 21:30:08 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271573
Bug ID: 271573
Summary: [panic] ip_output->in_ifaddr_broadcast NULL pointer
dereference after route change
Product: Base System
Version: 12.4-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: vangyzen@FreeBSD.org
FreeBSD 12.4-STABLE #3 stable/12-n236157-886d82afb03
With a busy TCP flow using a non-RTF_HOST route on an IFF_BROADCAST interface,
a "route change" operation on that route that changes the interface address can
leave "ia" NULL, triggering a NULL pointer dereference.
#6 0xffffffff811020df in trap_pfault (frame=0xfffffe002c1e8420,
usermode=<optimized out>, signo=<optimized out>, ucode=<optimized out>)
at /usr/src/sys/amd64/amd64/trap.c:739
#7 <signal handler called>
#8 0xffffffff80d63c64 in in_ifaddr_broadcast (in=..., ia=0x0)
at /usr/src/sys/netinet/in.c:1003
#9 0xffffffff80d75ee6 in ip_output (m=<optimized out>, opt=<optimized out>,
ro=<optimized out>, flags=<optimized out>, imo=0x0, inp=<optimized out>)
at /usr/src/sys/netinet/ip_output.c:404
#10 0xffffffff80e03787 in tcp_output (tp=0xfffff8000c922000)
at /usr/src/sys/netinet/tcp_output.c:1444
There may be multiple changes that contribute to this, but one in particular is
commit 1ebec5faf41f, which creates a window in rtrequest1_fib_change() when
rt->rt_ifa is NULL. In my opinion, the right fix would close that window.
This might use the wrong interface address, but it won't panic. It also won't
use freed memory because that's prevented by the net_epoch.
This probably does not affect 13.x or later, which use nexthop.
--
You are receiving this mail because:
You are the assignee for the bug.