Finally track down the reason for some of my occasional kernel crashes.

Route(1) has a bug that sends a bad message to the kernel. The kernel
trusts it and crashes. Add some sanity checks so that
we don't trust the user quite as much any more.
(also add a comment in if_ethersubr.c)

1 files changed, 20 insertions, 2 deletions

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index ae1a900..79149e5 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)rtsock.c	8.5 (Berkeley) 11/2/94
- *	$Id: rtsock.c,v 1.26 1997/02/22 09:41:15 peter Exp $
+ *	$Id: rtsock.c,v 1.27 1997/04/27 20:01:00 wollman Exp $
  */
 
 
@@ -506,6 +506,10 @@ rt_setmetrics(which, in, out)
 	((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
 
+/*
+ * Extract the addresses of the passed sockaddrs.
+ * Do a little sanity checking so as to avoid bad memory references.
+ */
 static void
 rt_xaddrs(cp, cplim, rtinfo)
 	register caddr_t cp, cplim;
@@ -515,9 +519,23 @@ rt_xaddrs(cp, cplim, rtinfo)
 	register int i;
 
 	bzero(rtinfo->rti_info, sizeof(rtinfo->rti_info));
-	for (i = 0; (i < RTAX_MAX) && (cp < cplim); i++) {
+	for (i = 0; i < RTAX_MAX; i++) {
 		if ((rtinfo->rti_addrs & (1 << i)) == 0)
 			continue;
+		/*
+		 * It won't fit. Pretend it doesn't exist.
+		 * Would return EINVAL if not void
+		 */
+		if ( (cp + sa->sa_len) > cplim )
+			return;
+		/*
+		 * there are no more.. quit now
+		 * If there are more bits, they are in error.
+		 * I've seen this. route(1) can evidently generate these. 
+		 * This causes kernel to core dump.
+		 */
+		if (sa->sa_len == 0)
+			return;
 		rtinfo->rti_info[i] = sa = (struct sockaddr *)cp;
 		ADVANCE(cp, sa);
 	}