tas@mcnc.UUCP (Tim Seaver) (06/19/87)
Index: sys/netinet/ip_output.c 4.3BSD
Description:
Passing an invalid level and a null option value to setsockopt
on an INET socket will cause a null mbuf pointer to be m_free'd
in the kernel routine ip_ctloutput, resulting in a protection
fault crash.
Repeat-By:
Compile and run the following program under 4.3 BSD.
Note: THIS WILL CRASH YOUR SYSTEM!
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
main()
{
int soc;
soc = socket(AF_INET, SOCK_STREAM, 0);
if (soc < 0) {
perror("socket");
exit(1);
}
fprintf(stderr, "got socket\n");
fflush(stderr);
if (setsockopt(soc, -1, SO_DEBUG, 0, 0) < 0) {
perror("setsockopt");
exit(2);
}
fprintf(stderr, "set socket options at level -1\n");
fflush(stderr);
exit(0);
}
Fix:
Apply the following diff to sys/netinet/ip_output.c:
349c349
< if (op == PRCO_SETOPT)
---
> if (op == PRCO_SETOPT && *m != NULL)