netbsd-bugs: kern/9048: ctlinput routine in net{iso,ccitt} needs more sanity check

Subject: kern/9048: ctlinput routine in net{iso,ccitt} needs more sanity check
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 12/23/1999 19:27:38
>Number:         9048
>Category:       kern
>Synopsis:       ctlinput routine in net{iso,ccitt} needs more sanity check
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 23 19:27:00 1999
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Organization:
itojun.org
	
>Release:        KAME/NetBSD141, NetBSD-current
>Environment:
System: NetBSD lychee.itojun.org 1.4.1 NetBSD 1.4.1 (LYCHEE.v6) #455: Fri Dec 24 12:16:25 JST 1999 itojun@lychee.itojun.org:/export/home/itojun/k/kame/netbsd/sys/arch/i386/compile/LYCHEE.v6 i386

>Description:
	as pfctlinput() calls EVERY xx_ctlinput() routines, each
	xx_ctlinput() needs to be careful about the parameter passed to it.
	the following routines have insufficient checks, and they leads
	to kernel panic when certain pfctlinput() are called.
		netccitt/pk_input.c
		netiso/esis.c
		netiso/tp_cons.c

>How-To-Repeat:
	get icmp{,6} unreachability messages, to invoke pfctlinput().
>Fix:

	I'm not quite sure who maintains this domain...

Index: netccitt/pk_input.c
===================================================================
RCS file: /cvsroot/kame/kame/netbsd/sys/netccitt/pk_input.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 pk_input.c
*** netccitt/pk_input.c	1999/07/29 12:25:07	1.1.1.1
--- netccitt/pk_input.c	1999/12/24 03:18:14
***************
*** 263,268 ****
--- 263,272 ----
  	register struct pkcb *pkp = (struct pkcb *) addr;
  	struct rtentry *llrt;
  
+ 	/* addr may not be valid if src is not ccitt */
+ 	if (src->sa_family != AF_CCITT)
+ 		return (0);
+ 
  	switch (code) {
  	case PRC_LINKUP:
  		if (pkp->pk_state == DTE_WAITING)
Index: netiso/esis.c
===================================================================
RCS file: /cvsroot/kame/kame/netbsd/sys/netiso/esis.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 esis.c
*** netiso/esis.c	1999/07/29 12:25:11	1.1.1.1
--- netiso/esis.c	1999/12/24 03:18:19
***************
*** 1184,1189 ****
--- 1184,1192 ----
  {
  	register struct iso_ifaddr *ia;	/* scan through interface addresses */
  
+ 	if (siso->sa_family != AF_ISO)
+ 		return NULL;
+ 
  	if (req == PRC_IFDOWN)
  		for (ia = iso_ifaddr.tqh_first; ia != 0;
  		     ia = ia->ia_list.tqe_next) {
Index: netiso/tp_cons.c
===================================================================
RCS file: /cvsroot/kame/kame/netbsd/sys/netiso/tp_cons.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 tp_cons.c
*** netiso/tp_cons.c	1999/07/29 12:25:11	1.1.1.1
--- netiso/tp_cons.c	1999/12/24 03:18:21
***************
*** 164,169 ****
--- 164,172 ----
  	struct isopcb  *isop = v;
  	register struct tp_pcb *tpcb = 0;
  
+ 	if (siso->sa_family != AF_ISO)
+ 		return NULL;
+ 
  	if (isop->isop_socket)
  		tpcb = (struct tp_pcb *) isop->isop_socket->so_pcb;
  	switch (cmd) {
>Audit-Trail:
>Unformatted: