Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 (Tek) 9/26/83; site tekchips.UUCP Path: utzoo!watmath!clyde!burl!mgnetp!ihnp4!zehntel!dual!amd70!decwrl!decvax!ucbvax!ucbcad!tektronix!tekchips!rickk From: rickk@tekchips.UUCP Newsgroups: net.bugs.4bsd Subject: Bug in ip_input.c Message-ID: <893@tekchips.UUCP> Date: Tue, 10-Jul-84 00:54:59 EDT Article-I.D.: tekchips.893 Posted: Tue Jul 10 00:54:59 1984 Date-Received: Thu, 28-Jun-84 06:27:48 EDT Organization: Tektronix, Beaverton OR Lines: 68 This bug can cause havoc with the ip_protox array whose values are used as an index into the protosw. Most likely, this doesn't affect anyone but may well at some later point. The original code looks one entry to far in the protosw in ip_init when setting up ip_protox. Depending on what data follows the protosw table, one will get an incorrect value in ip_protox. Since most of the entries (all but 3 or 4), are set to an index for IPPROTO_RAW and never used, the chances of hitting this bug is rare. Simple fix (of an oversight): Change a <= to a <. ip_input.c ---------- old version ----------- /* * IP initialization: fill in IP protocol switch table. * All protocols not implemented in kernel go to raw IP protocol handler. */ ip_init() { register struct protosw *pr; register int i; pr = pffindproto(PF_INET, IPPROTO_RAW); if (pr == 0) panic("ip_init"); for (i = 0; i < IPPROTO_MAX; i++) ip_protox[i] = pr - inetsw; for (pr = inetdomain.dom_protosw; pr <= inetdomain.dom_protoswNPROTOSW; pr++) /*** BUG ***/ if (pr->pr_family == PF_INET && pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) ip_protox[pr->pr_protocol] = pr - inetsw; ipq.next = ipq.prev = &ipq; ip_id = time.tv_sec & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; ifinet = if_ifwithaf(AF_INET); } new version ___________ /* * IP initialization: fill in IP protocol switch table. * All protocols not implemented in kernel go to raw IP protocol handler. */ ip_init() { register struct protosw *pr; register int i; pr = pffindproto(PF_INET, IPPROTO_RAW); if (pr == 0) panic("ip_init"); for (i = 0; i < IPPROTO_MAX; i++) ip_protox[i] = pr - inetsw; for (pr = inetdomain.dom_protosw; pr < inetdomain.dom_protoswNPROTOSW; pr++) /*** FIXED ***/ if (pr->pr_family == PF_INET && pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) ip_protox[pr->pr_protocol] = pr - inetsw; ipq.next = ipq.prev = &ipq; ip_id = time.tv_sec & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; ifinet = if_ifwithaf(AF_INET); }