openjdk team mailing list archive

Thread
Date

[Bug 925218] Re: Crash in java.net.NetworkInterface.getNetworkInterfaces() when ifr_ifindex exceeds 255

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <925218@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Jul 2012 20:21:58 -0000
Reply-to: Bug 925218 <925218@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openjdk-6 (Ubuntu Oneiric)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/925218

Title:
  Crash in java.net.NetworkInterface.getNetworkInterfaces() when
  ifr_ifindex exceeds 255

Status in “openjdk-6” package in Ubuntu:
  Fix Released
Status in “openjdk-7” package in Ubuntu:
  Fix Released
Status in “openjdk-6” source package in Oneiric:
  Confirmed
Status in “openjdk-7” source package in Oneiric:
  Confirmed

Bug description:
  If the system contains at least one network interface in state "UP"
  whose interface index (ifr_ifindex) is greater than 255, any calls to
  java.net.NetworkInterface.getNetworkInterfaces() will fail horribly,
  usually with a glibc-detected buffer overflow.  This is on Ubuntu
  11.10 amd64 with openjdk-6-jre-headless version
  6b23~pre11-0ubuntu1.11.10.1 0

  Interface index numbers can get quite large when we're on a system
  where network interfaces are added and removed frequently.  For
  example, miredo (a teredo implementation) seems to create and destroy
  a tuntap interface whenever we need to reestablish the teredo tunnel
  -- which can be quite often on a laptop.  High interface numbers can
  also be induced artificially by repeatedly adding and removing, say, a
  macvlan interface.

  I'm attaching a simple shell script that demonstrates this bug, along
  with the glibc buffer overflow crash output that results. I'm also
  attaching a gdb backtrace.

  The problem seems to be caused by the Linux version of the
  enumIPv6Interfaces function in
  openjdk/jdk/src/solaris/native/java/net/NetworkInterface.c, which
  attempts to parse the contents of /proc/net/if_inet6.  When we have an
  interface with a high index, that file looks something like this:

  > fe800000000000000000ffffffffffff 10b 40 20 80   teredo
  > 20010000<--address-edited-out--> 10b 20 00 80   teredo
  > fe80000000000000021558fffec629b6 02 40 20 80     eth0
  > fe8000000000000002197efffec16a76 03 40 20 80    wlan0
  > 00000000000000000000000000000001 01 80 10 80       lo

  The second column contains the interface index in hex.  Notice that it's normally two characters long, but it becomes longer when the index exceeds 255.  However, enumIPv6Interfaces uses fscanf with the format string
    "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n"
  which insists that the index is only two characters long.  Thus, an index that's 3 chars long causes fscanf to give us lots of garbage, eventually resulting in a crash when we try to do something with the nonsense.

  I'm attaching a patch that contains a simple fix.  However, it might
  be a good idea to find a better way to do this and replace this
  fragile parsing stuff altogether, esp. since the kernel docs don't
  even bother to document the format of /proc/net/if_inet6.  (Netlink,
  maybe?  How does 'ip addr list' do it?)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/925218/+subscriptions

References

[Bug 925218] [NEW] Crash in java.net.NetworkInterface.getNetworkInterfaces() when ifr_ifindex exceeds 255
From: Daniel Gnoutcheff, 2012-02-02