[Bug 283970] [PATCH] netpfil/ipfw: Fix wrong indent number to dump ctl3_handlers
Date: Fri, 10 Jan 2025 07:12:57 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283970
Bug ID: 283970
Summary: [PATCH] netpfil/ipfw: Fix wrong indent number to dump
ctl3_handlers
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: nakayamakenjiro@gmail.com
Created attachment 256593
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=256593&action=edit
ip_fw_sockopt.patch
ctl3_handlers
dump_soptcodes() accesses to ctl3_handlers with a wrong indent:
```
for (n = 1; n <= count; n++) {
... omit ...
sh = &ctl3_handlers[n]; # when "n == count" out of bounds.
```
Here is the observation on FreeBSD 14.0 with kgdb:
---
1. proceed steps in dump_soptcodes() by the problem code.
```
(kgdb) frame
#0 dump_soptcodes (chain=<optimized out>, op3=<optimized out>,
sd=0xfffffe007325eb58) at /usr/src/sys/netpfil/ipfw/ip_fw_sockopt.c:3137 3137
for (n = 1; n <= count; n++){code}
```
2. print the value in "count", which is 29.
```
(kgdb) print count
$24 = 29
```
3. From ctl3_handlers[0] to ctl3_handlers[28] contains values but
ctl3_handlers[29] is empty.
```
(kgdb) print ctl3_handlers[0]@30
$26 = {{opcode = 86, version = 0 '\000', dir = 3 '\003', handler =
0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}, {opcode = 86, version =
1 '\001',
dir = 3 '\003', handler = 0xffffffff82e3a120 <manage_table_ent_v1>, refcnt
= 0}, {opcode = 87, version = 0 '\000', dir = 3 '\003',
handler = 0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}, {opcode =
87, version = 1 '\001', dir = 3 '\003', handler = 0xffffffff82e3a120
<manage_table_ent_v1>,
refcnt = 0}, {opcode = 88, version = 0 '\000', dir = 2 '\002', handler =
0xffffffff82e3ac10 <get_table_size>, refcnt = 0}, {opcode = 89, version = 0
'\000',
dir = 2 '\002', handler = 0xffffffff82e39c80 <dump_table_v0>, refcnt = 0},
{opcode = 89, version = 1 '\001', dir = 2 '\002',
handler = 0xffffffff82e39e80 <dump_table_v1>, refcnt = 0}, {opcode = 90,
version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e395a0
<flush_table_v0>,
refcnt = 0}, {opcode = 92, version = 0 '\000', dir = 2 '\002', handler =
0xffffffff82e39bb0 <list_tables>, refcnt = 0}, {opcode = 93, version = 0
'\000',
dir = 2 '\002', handler = 0xffffffff82e39ac0 <describe_table>, refcnt = 0},
{opcode = 94, version = 0 '\000', dir = 1 '\001',
handler = 0xffffffff82e395a0 <flush_table_v0>, refcnt = 0}, {opcode = 95,
version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e39430
<create_table>,
refcnt = 0}, {opcode = 96, version = 0 '\000', dir = 3 '\003', handler =
0xffffffff82e398a0 <modify_table>, refcnt = 0}, {opcode = 97, version = 0
'\000',
dir = 2 '\002', handler = 0xffffffff82e31730 <dump_config>, refcnt = 0},
{opcode = 98, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e320a0
<add_rules>,
refcnt = 0}, {opcode = 99, version = 0 '\000', dir = 3 '\003', handler =
0xffffffff82e32640 <del_rules>, refcnt = 0}, {opcode = 100, version = 0 '\000',
dir = 1 '\001', handler = 0xffffffff82e32af0 <move_rules>, refcnt = 0},
{opcode = 101, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e327a0
<clear_rules>,
refcnt = 0}, {opcode = 102, version = 0 '\000', dir = 1 '\001', handler =
0xffffffff82e327a0 <clear_rules>, refcnt = 0}, {opcode = 103, version = 0
'\000',
dir = 1 '\001', handler = 0xffffffff82e32c30 <manage_sets>, refcnt = 0},
{opcode = 104, version = 0 '\000', dir = 1 '\001',
handler = 0xffffffff82e32c30 <manage_sets>, refcnt = 0}, {opcode = 105,
version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e32c30 <manage_sets>,
refcnt = 0}, {
opcode = 106, version = 0 '\000', dir = 2 '\002', handler =
0xffffffff82e3a3b0 <find_table_entry>, refcnt = 0}, {opcode = 107, version = 0
'\000', dir = 2 '\002',
handler = 0xffffffff82e3fbd0 <list_ifaces>, refcnt = 0}, {opcode = 108,
version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e3aaf0
<list_table_algo>,
refcnt = 0}, {opcode = 109, version = 0 '\000', dir = 1 '\001', handler =
0xffffffff82e3a510 <swap_table>, refcnt = 0}, {opcode = 110, version = 0
'\000',
dir = 2 '\002', handler = 0xffffffff82e40f10 <list_table_values>, refcnt =
0}, {opcode = 116, version = 0 '\000', dir = 2 '\002',
handler = 0xffffffff82e32e80 <dump_soptcodes>, refcnt = 1}, {opcode = 117,
version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e330a0
<dump_srvobjects>,
refcnt = 0}, {opcode = 0, version = 0 '\000', dir = 0 '\000', handler =
0x0, refcnt = 0}}
(kgdb) print ctl3_handlers[0]
$28 = {opcode = 86, version = 0 '\000', dir = 3 '\003', handler =
0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}
(kgdb) print ctl3_handlers[28]
$29 = {opcode = 117, version = 0 '\000', dir = 2 '\002', handler =
0xffffffff82e330a0 <dump_srvobjects>, refcnt = 0}
(kgdb) print ctl3_handlers[29]
$30 = {opcode = 0, version = 0 '\000', dir = 0 '\000', handler = 0x0, refcnt =
0}
```
---
--
You are receiving this mail because:
You are the assignee for the bug.