From db918dfad5688e9a2980e5a898e349c871ff9524 Mon Sep 17 00:00:00 2001
From: julian <julian@FreeBSD.org>
Date: Tue, 15 Jul 1997 23:25:32 +0000
Subject: [PATCH] Finally track down the reason for some of my occasional
 kernel crashes. Route(1) has a bug that sends a bad message to the kernel.
 The kernel trusts it and crashes. Add some sanity checks so that we don't
 trust the user quite as much any more. (also add a comment in if_ethersubr.c)

---
 sys/net/if_ethersubr.c |  5 ++++-
 sys/net/rtsock.c       | 22 ++++++++++++++++++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 48295aece56..13be40341aa 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)if_ethersubr.c	8.1 (Berkeley) 6/10/93
- * $Id: if_ethersubr.c,v 1.34 1997/03/24 11:33:11 bde Exp $
+ * $Id: if_ethersubr.c,v 1.35 1997/05/10 10:01:31 jhay Exp $
  */
 
 #include <sys/param.h>
@@ -792,6 +792,9 @@ ether_resolvemulti(ifp, llsa, sa)
 
 	switch(sa->sa_family) {
 	case AF_LINK:
+		/* 
+		 * No mapping needed. Just check that it's a valid MC address.
+		 */
 		sdl = (struct sockaddr_dl *)sa;
 		e_addr = LLADDR(sdl);
 		if ((e_addr[0] & 1) != 1)
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index ae1a900a903..79149e5acb7 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)rtsock.c	8.5 (Berkeley) 11/2/94
- *	$Id: rtsock.c,v 1.26 1997/02/22 09:41:15 peter Exp $
+ *	$Id: rtsock.c,v 1.27 1997/04/27 20:01:00 wollman Exp $
  */
 
 
@@ -506,6 +506,10 @@ rt_setmetrics(which, in, out)
 	((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
 
+/*
+ * Extract the addresses of the passed sockaddrs.
+ * Do a little sanity checking so as to avoid bad memory references.
+ */
 static void
 rt_xaddrs(cp, cplim, rtinfo)
 	register caddr_t cp, cplim;
@@ -515,9 +519,23 @@ rt_xaddrs(cp, cplim, rtinfo)
 	register int i;
 
 	bzero(rtinfo->rti_info, sizeof(rtinfo->rti_info));
-	for (i = 0; (i < RTAX_MAX) && (cp < cplim); i++) {
+	for (i = 0; i < RTAX_MAX; i++) {
 		if ((rtinfo->rti_addrs & (1 << i)) == 0)
 			continue;
+		/*
+		 * It won't fit. Pretend it doesn't exist.
+		 * Would return EINVAL if not void
+		 */
+		if ( (cp + sa->sa_len) > cplim )
+			return;
+		/*
+		 * there are no more.. quit now
+		 * If there are more bits, they are in error.
+		 * I've seen this. route(1) can evidently generate these. 
+		 * This causes kernel to core dump.
+		 */
+		if (sa->sa_len == 0)
+			return;
 		rtinfo->rti_info[i] = sa = (struct sockaddr *)cp;
 		ADVANCE(cp, sa);
 	}
-- 
2.45.2