tas@mcnc.UUCP (Tim Seaver) (06/19/87)
Index: sys/netinet/ip_output.c 4.3BSD Description: Passing an invalid level and a null option value to setsockopt on an INET socket will cause a null mbuf pointer to be m_free'd in the kernel routine ip_ctloutput, resulting in a protection fault crash. Repeat-By: Compile and run the following program under 4.3 BSD. Note: THIS WILL CRASH YOUR SYSTEM! #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> main() { int soc; soc = socket(AF_INET, SOCK_STREAM, 0); if (soc < 0) { perror("socket"); exit(1); } fprintf(stderr, "got socket\n"); fflush(stderr); if (setsockopt(soc, -1, SO_DEBUG, 0, 0) < 0) { perror("setsockopt"); exit(2); } fprintf(stderr, "set socket options at level -1\n"); fflush(stderr); exit(0); } Fix: Apply the following diff to sys/netinet/ip_output.c: 349c349 < if (op == PRCO_SETOPT) --- > if (op == PRCO_SETOPT && *m != NULL)