Bug 14330 - NULL pointer dereference with arp_notify enabled and no ip address set
Summary: NULL pointer dereference with arp_notify enabled and no ip address set
Status: RESOLVED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Alexey Dobriyan
URL: NULL pointer dereference with arp_not...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-06 00:16 UTC by hannes
Modified: 2009-11-15 22:34 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.30.8-64.fc11.x86_64
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description hannes 2009-10-06 00:16:31 UTC 
A NULL pointer dereference happens if arp_notify is enabled, no ip address is set
and the mac address changes on an interface.

Steps to reproduce:
sysctl -w net.ipv4.conf.all.arp_notify=1
ip a f dev eth0
ip l s eth0 a 02:00:00:00:00:00

It seems that in function inetdev_event (net/ipv4/devinet.c:1081) the
dereference of in_dev->ifa_list->ifa_address blows up because in_dev->ifa_list
is NULL.
Comment 1 Andrew Morton 2009-10-14 02:48:10 UTC 
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 6 Oct 2009 00:16:31 GMT bugzilla-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=14330
> 
>                URL: NULL pointer dereference with arp_notify and no ip
>                     address
>            Summary: Kernel
>            Product: Networking
>            Version: 2.5
>     Kernel Version: 2.6.30.8-64.fc11.x86_64
>           Platform: All
>         OS/Version: Linux
>               Tree: Fedora
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: IPV4
>         AssignedTo: shemminger@linux-foundation.org
>         ReportedBy: hannes@stressinduktion.org
>         Regression: No
> 
> 
> A NULL pointer dereference happens if arp_notify is enabled, no ip address is
> set
> and the mac address changes on an interface.
> 
> Steps to reproduce:
> sysctl -w net.ipv4.conf.all.arp_notify=1
> ip a f dev eth0
> ip l s eth0 a 02:00:00:00:00:00
> 
> It seems that in function inetdev_event (net/ipv4/devinet.c:1081) the
> dereference of in_dev->ifa_list->ifa_address blows up because
> in_dev->ifa_list
> is NULL.
Comment 2 David S. Miller 2009-10-14 03:43:10 UTC 
From: Andrew Morton <akpm@linux-foundation.org>
Date: Tue, 13 Oct 2009 19:48:06 -0700

> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).

Fixed by:

commit a21090cff296eb82b6de09304d64de466bdcaefc
Author: Stephen Hemminger <shemminger@vyatta.com>
Date:   Wed Oct 7 03:18:17 2009 -0700

    ipv4: arp_notify address list bug
    
    This fixes a bug with arp_notify.
    
    If arp_notify is enabled, kernel will crash if address is changed
    and no IP address is assigned.
      http://bugzilla.kernel.org/show_bug.cgi?id=14330
    
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Note You need to log in before you can comment on or make changes to this bug.