Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!mcnc!tas
From: tas@mcnc.UUCP (Tim Seaver)
Newsgroups: comp.bugs.4bsd
Subject: Certain arguments to setsockopt can crash 4.3 BSD
Message-ID: <513@speedy.mcnc.UUCP>
Date: Fri, 19-Jun-87 13:01:14 EDT
Article-I.D.: speedy.513
Posted: Fri Jun 19 13:01:14 1987
Date-Received: Mon, 22-Jun-87 03:23:28 EDT
Organization: Microelectronics Center of NC; RTP, NC
Lines: 43

Index:	sys/netinet/ip_output.c 4.3BSD

Description:
	Passing an invalid level and a null option value to setsockopt
	on an INET socket will cause a null mbuf pointer to be m_free'd
	in the kernel routine ip_ctloutput, resulting in a protection
	fault crash.

Repeat-By:
	Compile and run the following program under 4.3 BSD.
	Note: THIS WILL CRASH YOUR SYSTEM!

	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	
	main()
	{
		int soc;
	
		soc = socket(AF_INET, SOCK_STREAM, 0);
		if (soc < 0) {
			perror("socket");
			exit(1);
		}
		fprintf(stderr, "got socket\n");
		fflush(stderr);
		if (setsockopt(soc, -1, SO_DEBUG, 0, 0) < 0) {
			perror("setsockopt");
			exit(2);
		}
		fprintf(stderr, "set socket options at level -1\n");
		fflush(stderr);
		exit(0);
	}

Fix:
	Apply the following diff to sys/netinet/ip_output.c:

	349c349
	< 	if (op == PRCO_SETOPT)
	---
	> 	if (op == PRCO_SETOPT && *m != NULL)