[Bug 267457] missing array terminator in netgraph's ng_bridge.h

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267457] missing array terminator in netgraph's ng_bridge.h"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267457] missing array terminator in netgraph's ng_bridge.h"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267457] missing array terminator in netgraph's ng_bridge.h"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267457] missing array terminator in netgraph's ng_bridge.h"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 267457] missing array terminator in netgraph's ng_bridge.h"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 31 Oct 2022 08:06:00 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267457

            Bug ID: 267457
           Summary: missing array terminator in netgraph's ng_bridge.h
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237745 text/plain
         mime type:

Created attachment 237745
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237745&action=edit
provoke crash in netgraph due to missing { NULL } array terminator

This in sys/netgraph/ng_bridge.h:

#define NG_BRIDGE_MOVE_HOST_TYPE_INFO(entype)   {               \
          { "addr",             (entype)                },      \
          { "hook",             &ng_parse_hookbuf_type  },      \
}

I believe there should be a { NULL } at the end to prevent code from
running off the end of this array.

I've attached a demo. ng_unparse_composite() calls
ng_get_composite_len(), which returns 3 rather than the correct 2 due
to lack of the { NULL }, causing ng_unparse_composite()'s loop to
index off the end of the type array. Then ng_parse_get_elem_pad()
fetches a garbage function pointer in ALIGNMENT() using a too-large
index and calls it.

# cc ng6a.c -lnetgraph
# ./a.out
panic: Fatal page fault at 0x7070705f676e007c: 0x7070705f676e007c
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 12, tval = 0x7070705f676e007c
(null)() at 0x7070705f676e007c
ng_unparse_composite() at ng_unparse_composite+0xf6
ng_struct_unparse() at ng_struct_unparse+0xe
ng_unparse() at ng_unparse+0x30
ng_generic_msg() at ng_generic_msg+0x938
ng_apply_item() at ng_apply_item+0xf6
ng_snd_item() at ng_snd_item+0x1bc
ngc_send() at ngc_send+0x260
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

-- 
You are receiving this mail because:
You are the assignee for the bug.