misc/112126: netstat segfaults on unusual ICMP statistics

Maxim Konovalov maxim at macomnet.ru
Wed Apr 25 18:50:09 UTC 2007 

The following reply was made to PR bin/112126; it has been noted by GNATS.

From: Maxim Konovalov <maxim at macomnet.ru>
To: Christoph Weber-Fahr <cwf-ml at arcor.de>
Cc: bug-followup at freebsd.org
Subject: Re: misc/112126: netstat segfaults on unusual ICMP statistics
Date: Wed, 25 Apr 2007 22:45:35 +0400 (MSD)

 Hi Christoph,
 
 On Wed, 25 Apr 2007, 15:29-0000, Christoph Weber-Fahr wrote:
 
 > >Description:
 > we have a number of very busy publicly available production servers
 > running FreeBSD.
 >
 > On some of these systems, netstat -s fails with a segmentation
 > fault.  This is especially problematic, since system monitoring
 > tools use netstat periodically to gather statistics.
 >
 > I looked into the issue in the netstats sources. The netstat utility
 > mainatins an internal array for ICMP type names. But for listing the
 > icmp statistics it relies on the ICMP_MAXTYPE kernel define pulled
 > from the syestem include files.
 >
 > Those values are badly out of sync - ICMP_MAXTYPE is at 40, while
 > netstat's name array has just 19 entries. So, as soon as the kernel
 > has logged a stat for an icmp type > 19, netstat -s dumps core.
 >
 
 [...]
 > the appended patch
 >
 > - enhances netstat's array to 40 with names from the include file
 > - provides a mechanism to deal gracefully with such a situation
 >   schould it arise in the future again.
 >
 > The patch was created and tested on FreeBSD 6.1-p15. It was also
 > tested on FreeBSD 6.2-p3.
 >
 > Patch attached with submission follows:
 >
 > --- usr.bin/netstat/inet.c.org	Wed Apr 25 15:44:51 2007
 > +++ usr.bin/netstat/inet.c	Wed Apr 25 17:19:17 2007
 > @@ -653,8 +653,32 @@
 >  	"information request reply",
 >  	"address mask request",
 >  	"address mask reply",
 > +	"#19",
 > +	"#20",
 > +	"#21",
 > +	"#22",
 > +	"#23",
 > +	"#24",
 > +	"#25",
 > +	"#26",
 > +	"#27",
 > +	"#28",
 > +	"#29",
 > +	"icmp traceroute",
 > +	"data conversion error",
 > +	"mobile host redirect",
 > +	"IPv6 where-are-you",
 > +	"IPv6 i-am-here",
 > +	"mobile registration req",
 > +	"mobile registration reply",
 > +	"#37",
 > +	"#38",
 > +	"icmp SKIP",
 > +	"icmp photuris",
 >  };
 >
 > +static const int max_known_icmpname=40;
 > +
 >
 >  /*
 >   * Dump ICMP statistics.
 >   */
 > @@ -698,8 +722,13 @@
 >  				printf("\tOutput histogram:\n");
 >  				first = 0;
 >  			}
 > -			printf("\t\t%s: %lu\n", icmpnames[i],
 > -				icmpstat.icps_outhist[i]);
 > +			if (i <= max_known_icmpname) {
 > +				printf("\t\t%s: %lu\n", icmpnames[i],
 > +					icmpstat.icps_outhist[i]);
 > +			} else {
 > +				printf("\t\tunknown ICMP #%d: %lu\n", i,
 > +					icmpstat.icps_outhist[i]);
 > +			}
 >  		}
 >  	p(icps_badcode, "\t%lu message%s with bad code fields\n");
 >  	p(icps_tooshort, "\t%lu message%s < minimum length\n");
 > @@ -713,8 +742,13 @@
 >  				printf("\tInput histogram:\n");
 >  				first = 0;
 >  			}
 > -			printf("\t\t%s: %lu\n", icmpnames[i],
 > -				icmpstat.icps_inhist[i]);
 > +			if (i <= max_known_icmpname) {
 > +				printf("\t\t%s: %lu\n", icmpnames[i],
 > +					icmpstat.icps_inhist[i]);
 > +			} else {
 > +				printf("\t\tunknown ICMP #%d: %lu\n", i,
 > +					icmpstat.icps_inhist[i]);
 > +			}
 >  		}
 >  	p(icps_reflect, "\t%lu message response%s generated\n");
 >  	p2(icps_badaddr, "\t%lu invalid return address%s\n");
 
 It's not clear why do you need to check i <= max_known_icmpname when
 the upper loop already checked that:
 
 for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++).
 
 Can I suggest an alternative patch:
 
 Index: inet.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.bin/netstat/inet.c,v
 retrieving revision 1.74
 diff -u -p -r1.74 inet.c
 --- inet.c	26 Feb 2007 22:25:21 -0000	1.74
 +++ inet.c	25 Apr 2007 18:32:13 -0000
 @@ -636,7 +636,7 @@ ip_stats(u_long off __unused, const char
  #undef p1a
  }
 
 -static	const char *icmpnames[] = {
 +static	const char *icmpnames[ICMP_MAXTYPE + 1] = {
  	"echo reply",
  	"#1",
  	"#2",
 @@ -656,6 +656,28 @@ static	const char *icmpnames[] = {
  	"information request reply",
  	"address mask request",
  	"address mask reply",
 +	"#19",
 +	"#20",
 +	"#21",
 +	"#22",
 +	"#23",
 +	"#24",
 +	"#25",
 +	"#26",
 +	"#27",
 +	"#28",
 +	"#29",
 +	"icmp traceroute",
 +	"data conversion error",
 +	"mobile host redirect",
 +	"IPv6 where-are-you",
 +	"IPv6 i-am-here",
 +	"mobile registration req",
 +	"mobile registration reply",
 +	"domain name request",
 +	"domain name reply",
 +	"icmp SKIP",
 +	"icmp photuris",
  };
 
  /*
 %%%
 
 -- 
 Maxim Konovalov

More information about the freebsd-bugs mailing list