Mailing List Archive

From:: Alexander Bluhm <bluhm@openbsd.org>
Subject:: route an_match NULL deref
To:: tech@openbsd.org
Date:: Mon, 25 Mar 2024 21:11:56 +0100

Download raw body.

Thread

2024-03-25 20:11 Alexander Bluhm:
route an_match NULL deref
- 2024-03-25 20:45 Vitaliy Makkoveev:
  route an_match NULL deref

Hi,

On a customer's machine based on OpenBSD 7.4 I saw this crash.
Stack trace typed from jpeg with OCR.

uum_fault(0xfffffd87681555b8, 0x0, 0, 1) -> e
kernel: page fault trap, code=0

Stopped at rtable_lookup+0xdc: movq 0(%rax),%rdi

*477466 31379 0 0 0  4 ospfd

rtable_lookup()
rtm_output()
route_output()
route_send()
sosend()
dofilewritev()
sys_writev()
syscall()
Xsyscall()

From disassmbler I see that rt == NULL in an_match().

ok?

bluhm

Index: net/rtable.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/rtable.c,v
diff -u -p -r1.85 rtable.c
--- net/rtable.c	12 Nov 2023 17:51:40 -0000	1.85
+++ net/rtable.c	25 Mar 2024 19:24:05 -0000
@@ -875,7 +875,7 @@ an_match(struct art_node *an, const stru
 		return (0);
 
 	rt = SRPL_FIRST(&sr, &an->an_rtlist);
-	match = (memcmp(rt->rt_dest, dst, dst->sa_len) == 0);
+	match = (rt != NULL && memcmp(rt->rt_dest, dst, dst->sa_len) == 0);
 	SRPL_LEAVE(&sr);
 
 	return (match);

2024-03-25 20:11 Alexander Bluhm:
route an_match NULL deref
- 2024-03-25 20:45 Vitaliy Makkoveev:
  route an_match NULL deref