Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!gatech!hao!boulder!forys
From: forys@sigi.Colorado.EDU (Jeff Forys)
Newsgroups: comp.bugs.4bsd
Subject: Bug in 4.3BSD network code.  +FIX
Message-ID: <1053@sigi.Colorado.EDU>
Date: Thu, 7-May-87 05:15:35 EDT
Article-I.D.: sigi.1053
Posted: Thu May  7 05:15:35 1987
Date-Received: Sat, 9-May-87 02:10:39 EDT
Reply-To: forys@boulder.Colorado.EDU (Jeff Forys)
Distribution: world
Organization: University of Colorado, Boulder
Lines: 43
Keywords: 4.3BSD, bug, network
Summary: A naive or malicious user can crash your 4.3BSD machine.

Index:	sys/netinet/tcp_usrreq.c 4.3BSD (patchlevel 9) FIX

Repeat By:

( Since *any* user can execute the code, and since it will crash
  your 4.3BSD machine, I sent it, and a kernel stack trace, to
  the security mailing list.  Look for it there. )

Description:

In routine tcp_ctloutput(), under certain conditions, an attempt is made
to free an mbuf when, in fact, it's really trying to free a NULL pointer.
As a result, Vaxen crash with a `Protection Fault' -- I assume that other
4.3 machines would be equally unhappy.

Fix:

Obviously, check for the NULL pointer before trying to free the mbuf.
Apply the following patch to "sys/netinet/tcp_usrreq.c".

*** /tmp/,RCSt1021830	Thu May  7 01:56:49 1987
--- tcp_usrreq.c	Thu May  7 01:55:45 1987
***************
*** 344,350 ****
  			error = EINVAL;
  			break;
  		}
! 		(void)m_free(m);
  		break;
  
  	case PRCO_GETOPT:
--- 344,351 ----
  			error = EINVAL;
  			break;
  		}
! 		if (m != NULL)	/* check for NULL pointer (jef 5/7/87) */
! 			(void) m_free(m);
  		break;
  
  	case PRCO_GETOPT:
---
Jeff Forys @ UC/Boulder Engineering Research Comp Cntr (303-492-6096)
forys@Boulder.Colorado.EDU  -or-  ..!{hao|nbires}!boulder!forys