>Number:         2531
>Category:       kern
>Synopsis:       bpf BIOCSRTIMEOUT can round tv_usec down to zero (block)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun  8 19:05:01 1996
>Last-Modified:
>Originator:     John Hawkinson
>Organization:
MIT SIPB
>Release:        1.2_ALPHA
>Environment:
	
System: NetBSD lola-granola 1.1B NetBSD 1.1B (LOLA) #8: Fri Apr 19 11:03:57 EDT 1996 mycroft@zygorthian-space-raiders:/afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LOLA i386


>Description:

	When bpfioctl() processes a BIOCSRTIMEOUT ioctl where
	tv->tv_usec is less than tick (10,000 on this system)
	and tv->tv_sec is zero, it will set d->bd_rtout (number
	of ticks to wait) to zero.

	Because d->bd_rtout is overloaded such that zero means "block
	forever" rather than "return instantly", this can result in
	code that's expecting to return in a very short period of
	time to block for a very long period of time.

>How-To-Repeat:

Use an obscenely small value for tv_usec:

  {
    struct timeval bpftimeout = {
                   /* tv_sec  */ 0,
		   /* tv_usec */ 200 };

    if (ioctl(fd, BIOCSRTIMEOUT, &bpftimeout) < 0) {
      perror("BIOCSRTIMEOUT");
      exit(1);
    }
  }
	

>Fix:
*** bpf.c	Sun Jun  2 14:54:38 1996
--- /var/tmp/bpf.c	Sat Jun  8 18:29:09 1996
***************
*** 748,753 ****
--- 748,755 ----
  
  			/* Compute number of ticks. */
  			d->bd_rtout = tv->tv_sec * hz + tv->tv_usec / tick;
+ 			if ((d->bd_rtout == 0) && (tv->tv_usec != 0))
+ 			  d->bd_rtout = 1;
  			break;
  		}
  

>Audit-Trail:
>Unformatted: