Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 May 2018 11:57:03 +0200
From: Matej Kupljen <matej.kupljen@...il.com>
To: musl@...ts.openwall.com
Subject: Endless loop in netlink_msg_to_ifaddr

Hi all,

I am using OpenWRT device with MUSL C library version 1.1.19 and I am
running custom binary on it. I noticed that during testing my program
started using 99% CPU.
I build OpenWRT myself so I have all the sources. I attached the gdbserver
and checked what is going on.

What I found is that it executes this code:

static int netlink_msg_to_ifaddr(void *pctx, struct nlmsghdr *h)
{
struct ifaddrs_ctx *ctx = pctx;
struct ifaddrs_storage *ifs, *ifs0;
struct ifinfomsg *ifi = NLMSG_DATA(h);
struct ifaddrmsg *ifa = NLMSG_DATA(h);
struct rtattr *rta;
int stats_len = 0;

if (h->nlmsg_type == RTM_NEWLINK) {
for (rta = NLMSG_RTA(h, sizeof(*ifi)); NLMSG_RTAOK(rta, h); rta =
RTA_NEXT(rta)) {
if (rta->rta_type != IFLA_STATS) continue;
stats_len = RTA_DATALEN(rta);
break;
}
} else {
for (ifs0 = ctx->hash[ifa->ifa_index % IFADDRS_HASH_SIZE]; ifs0; ifs0 =
ifs0->hash_next)
if (ifs0->index == ifa->ifa_index)
break;
if (!ifs0) return 0;
}

>From my GDB session:
(gdb) p *ctx
$10 = {first = 0xe1b0b0, last = 0xe1b1c0, hash = {0x0, 0xe1b0b0, 0xe1b1c0,
0x0 <repeats 61 times>}}
(gdb) p *h
$11 = {nlmsg_len = 1496, nlmsg_type = 16, nlmsg_flags = 2, nlmsg_seq = 1,
nlmsg_pid = 3143810850}
(gdb) p *ifi
$12 = {ifi_family = 0 '\000', __ifi_pad = 0 '\000', ifi_type = 1, ifi_index
= 3, ifi_flags = 69699, ifi_change = 0}
(gdb) p *ifa
$13 = {ifa_family = 0 '\000', ifa_prefixlen = 0 '\000', ifa_flags = 0
'\000', ifa_scope = 1 '\001', ifa_index = 3
(gdb) p *rta
$14 = {rta_len = 0, rta_type = 41}

As you can see the first message in netlink reply has a rta_len set to zero
so the list is never traversed, only the first message is received every
time.

I am not sure if this is the correct response from netlink, however the
program is stucked here.

Any ideas?
Please CC me in reply.

Thanks and BR,
Matej

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.