Network kernel

system admin (root@quark.analogic.com)
Thu, 16 May 96 13:32 EDT


I wish to report a problem with Linux-1.3.99

With version Linux-1.3.99, the following trace occurs..............

May 16 12:03:34 quark kernel: Unable to handle kernel NULL pointer dereference at virtual address c0000000
May 16 12:03:34 quark kernel: current->tss.cr3 = 012a7000, ^Mr3 = 012a7000
May 16 12:03:34 quark kernel: *pde = 00102067
May 16 12:03:34 quark kernel: *pte = 00000027
May 16 12:03:34 quark kernel: Oops: 0000
May 16 12:03:34 quark kernel: CPU: 0
May 16 12:03:34 quark kernel: EIP: 0010:[<0015383d>]
May 16 12:03:34 quark kernel: EFLAGS: 00010206
May 16 12:03:34 quark kernel: eax: 00000000 ebx: 017e4318 ecx: 012a8f2c edx: 001edde0
May 16 12:03:34 quark kernel: esi: 001f6f24 edi: 00ffffff ebp: 01010101 esp: 012a8ee4
May 16 12:03:34 quark kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
May 16 12:03:34 quark kernel: Process pppd_cache (pid: 80, process nr: 24, stackpage=012a8000)
May 16 12:03:34 quark kernel: Stack: 00000000 001f6f24 012a8f2c 00008955 001edde0 01499c00 bffffc8d 00ffffff
May 16 12:03:34 quark kernel: bffffc98 00153d67 012a8f2c 001f6f24 bffffc54 01499c00 bffffc8d bffffc30
May 16 12:03:34 quark kernel: 012a8f2c 001f6f24 00000002 01010101 00000000 00000000 00080001 73913000
May 16 12:03:34 quark kernel: Call Trace: [<00153d67>] [<0015680f>] [<0013c531>] [<00131fb3>] [<0010aa11>] [<001e002b>]
May 16 12:03:34 quark kernel: Code: 8b 00 89 03 89 1a 8b 74 24 28 83 c6 12 89 74 24 20 8b 54 24

..... when the following code is executed:

/*
* This is free software. It is not guaranteed. You can use any portion
* if it for any purpose whatsoever. You do not need to provide any
* "credits" to the author.
*
* Richard B. Johnson (rjohnson@analogic.com)
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <linux/sockios.h>
#include <linux/netdevice.h>
#include <linux/if.h>
#include <linux/if_arp.h>
#include <netdb.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include "pppd_cache.h"
static const char dev[]="eth0";

/*
* Add remote IP addresses and the local hardware address to the ARP
* cache.
*/
int add_arp(int arp_fd, char *name, HW *hw)
{
struct arpreq arp;

int status;
#ifndef DEBUG
sprintf(scratch,"ARP address added: %s", name);
LOG(scratch);
#endif
show("add_arp()");
show(name);
memset(UCP &arp, UCR 0x00, sizeof(arp));
arp.arp_pa.sa_family = AF_INET;
arp.arp_ha.sa_family = ARPHRD_ETHER;
arp.arp_netmask.sa_family = AF_INET;
makeaddr(&arp.arp_pa.sa_data[2], name); /* Protocol address */
memcpy(UCP &arp.arp_ha.sa_data[0], hw, sizeof(HW));
arp.arp_flags = (ATF_PERM | ATF_PUBL | ATF_NETMASK);
strcpy(arp.arp_dev, dev);
memset(UCP &arp.arp_netmask.sa_data[2], UCR 0xff, 0x03); /* 255.255.255.0 */

/* CRASHES and never returns */
status = ioctl(arp_fd, SIOCSARP, &arp);
if(status < 0)
{
ERROR("ioctl(SIOCSARP)");
return errno;
}
return 0;
}

This code executes correctly with linux version 1.3.91 and lower.
Even if the elements within the "arpreq" structure were not correct, there
are no pointers within this structure to be dereferenced.

The code adds a remote IP address along with the server's hardware address
to the arp cache. This is part of an extended network daemon that transparently
routes subnets that are connected via a PPP dialup line.

After this call has been made, the network software has been destroyed.
Further, executing 'cat /proc/net/arp` produces another exception which
usually results in a panic.

Cheers,

Richard B. Johnson
rjohnson@analogic.com