A sockaddr with invalid length could be passed to the network stack resulting in
a kernel panic like this:
panic: sockaddr_copy: source too long, 28 < 128 bytes
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip 0xffffffff80216c35 cs 0x8 rflags 0x246 cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0xffff80003308b690
curlwp 0xfffffe803e11ca40 pid 48.1 lowest kstack 0xffff8000330852c0
Stopped in pid 48.1 (a.out) at netbsd:breakpoint+0x5: leave
db{1}> bt
breakpoint() at netbsd:breakpoint+0x5
vpanic() at netbsd:vpanic+0x140
panic() at netbsd:panic+0x3c
sockaddr_copy() at netbsd:sockaddr_copy+0x95
rtcache_setdst() at netbsd:rtcache_setdst+0x73
rtcache_lookup2() at netbsd:rtcache_lookup2+0x56
in6_selectroute() at netbsd:in6_selectroute+0x184
in6_selectsrc() at netbsd:in6_selectsrc+0x119
udp6_output() at netbsd:udp6_output+0x25e
udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a
sosend() at netbsd:sosend+0x7bf
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89
sys_sendto() at netbsd:sys_sendto+0x5c
syscall() at netbsd:syscall+0x1ed
--- syscall (number 133) ---
7f7ff790173a:
Reported by Paul Ripke
describes more about what failed. now errors tell you which actual
variable was being requested instead of simply saying "not yours".
tested on amd64 as working. written for arm64 testing.
From hannken@
When puffs_cookie2vnode() misses an entry and vrele() it operations
puffs_vnop_reclaim() and puffs_vnop_fsync() get called with a VNON
vnode.
Do not notify the server in this case as the cookie is stale.
ioctl was passed through ifioctl_common, because the case falls through
to the SIOCSIFFLAGS case. The common handler however doesn't implement
SIOCINITIFADDR, so an attempt to configure plip always failed with ENOTTY.
puffs_vnop_open() calls flushvncache(), which calls dosetattr()
if pn->pn_stat has PNODE_METACACHE_MASK. In that case, the lock
on pn->pn_sizemtx is mandatory and asserted.
internal _kvm_*err() functions aren't called, stack garbage is
not reported as an error string.
call _kvm_err() if _kvm_kvatop() fails. now the above is not
triggered anymore :-)
This generally isn't a good thing, nothing should be discard silently.
However, for systems that don't want big syslogd buffers or are too slow
to log effectively this reporting can now be disabled.
receive overflow errors re-instating the default behavior to
silently ignore them as before 2018-03-19.
- Introduce a new kern.sooptions sysctl to control the default
behavior of socket options. Setting this to 0x4000 (SO_RERROR),
turns on receive overflow error reporting for all sockets.
- Change dhcpcd to turn on SO_RERROR on all its sockets.
As discussed in tech-net.
in6_selectsrc previously returned a pointer to an ipv6 address,
the pointer was NULL in case of an error and is checked later
instead of the also returned error code. When in6_selectsrc was
changed to store the address into a buffer, the error code
was still ignored, but the buffer pointer was never set to NULL.
As a result send() to an ipv6 address on a system that isn't
configured for ipv6 no longer returns the expected EADDRAVAIL
but fails later in ip6_output with EOPNOTSUPP when trying to
send from an unspecified address. The wrong error code caused
BIND to log the unexpected errors.
triggerring panic when disks are plugged to non-adjacent ports - this should
fix panic reported by Masanobu SAITOH on current-users
also fix different miscounting of ports in ahci_setup_ports() and
ahci_reprobe_drives()
ozaki-r