[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    [PATCH] Fix ospfd segmentation fault on startup
From:       Johan Ymerson <johan.ymerson () transmode ! com>
Date:       2015-05-27 12:41:14
Message-ID: 1432730474.26534.28.camel () transmode ! com
[Download RAW message or body]

Hi,

When debugging problems with ospfd and carp on startup, I managed to get
ospfd to segfault a couple of times.
I tracked down the issue to if_change() and main_imsg_compose_ospfe().

if_change() is called before imsg_init is called to initialize the
imsgbuf struct. If a link state change to UP occurs during the small
time frame the imsgbuf pointer is uninitialized, we have a null pointer
dereference in main_imsg_compose_ospfe().

Safe-guard against this by simply not calling imsg_compose_event() if
the imsgbuf pointer is null.

Index: ospfd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v
retrieving revision 1.83
diff -u -p -r1.83 ospfd.c
--- ospfd.c     10 Feb 2015 05:24:48 -0000      1.83
+++ ospfd.c     27 May 2015 12:35:08 -0000
@@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v
 void
 main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen)
 {
-       imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen);
+       if (iev_ospfe)
+               imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen);
 }
 
 void
 main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen)
 {
-       imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen);
+       if (iev_rde)
+               imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen);
 }
 
 void


[prev in list] [next in list] [prev in thread] [next in thread]