kern/138690: Multicast: uninited memory used in filter at IP_DROP_MEMBERSHIP + IP_ADD_MEMBERSHIP

Stef Walter stef at memberwebs.com
Thu Sep 10 06:00:10 UTC 2009 

>Number:         138690
>Category:       kern
>Synopsis:       Multicast: uninited memory used in filter at IP_DROP_MEMBERSHIP + IP_ADD_MEMBERSHIP
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 10 06:00:09 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Stef Walter
>Release:        8.0-BETA4
>Organization:
>Environment:
FreeBSD northstar-gate.ws.local 8.0-BETA4 FreeBSD 8.0-BETA4 #8: Thu Sep 10 05:15:49 UTC 2009     op at northstar-gate.ws.local:/usr/src/sys/i386/compile/MESHNODE  i386

>Description:
If a multicast caller does an IP_DROP_MEMBERSHIP followed by a
IP_ADD_MEMBERSHIP, often an uninitialized filter is used for the
in_mfilter passed to in_joingroup_locked() in netinet/in_mcast.c.

The IP_ADD_MEMBERSHIP and IP_DROP_MEMBERSHIP have simple in_mreq input,
and are not using SSM or any of the new IGMPv3 features.

>How-To-Repeat:
This results in the following behavior shown by ifmcstat. Before the
drop + add you can see the following groups for the northstar1
interface. Note that 224.0.0.5 (ie: OSPF-ALL.MCAST.NET) is subscribed
with an empty exclude filter as you would expect from simple ASM mode:

> > # ifmcstat -i northstar1
> > northstar1:
> > 	inet 172.28.1.66
> > 	igmpv3 flags=0<> rv 2 qi 125 qri 10 uri 3
> > 		group 224.0.0.5 mode exclude
> > 		group 224.0.0.1 mode exclude

After the drop + add, it looks like the following. Note that now
224.0.0.5 is subscribed with an empty *include* filter which results in
no packets received.

> > # ifmcstat -i northstar1
> > northstar1:
> > 	inet 172.28.1.66
> > 	igmpv3 flags=0<> rv 2 qi 125 qri 10 uri 3
> > 		group 224.0.0.1 mode exclude
> > 		group 224.0.0.5 mode include

>Fix:
Patch is attached which fixes the problem. Bruce Simpson has signed off on this patch via the freebsd-net mailing list. 

Patch attached with submission follows:

--- sys/netinet/in_mcast.c.orig	2009-08-03 08:13:06.000000000 +0000
+++ sys/netinet/in_mcast.c	2009-09-09 15:01:24.000000000 +0000
@@ -2024,6 +2050,9 @@
 			error = ENOMEM;
 			goto out_imo_free;
 		}
+	} else if (is_new) {
+		/* Old style ASM filter mode is always exclude */
+		imf_init(imf, MCAST_UNDEFINED, MCAST_EXCLUDE);
 	}
 
 	/*


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list