openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #08280
[Bug 925218] Re: Crash in java.net.NetworkInterface.getNetworkInterfaces() when ifr_ifindex exceeds 255
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openjdk-7 (Ubuntu Oneiric)
Status: New => Confirmed
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/925218
Title:
Crash in java.net.NetworkInterface.getNetworkInterfaces() when
ifr_ifindex exceeds 255
Status in “openjdk-6” package in Ubuntu:
Fix Released
Status in “openjdk-7” package in Ubuntu:
Fix Released
Status in “openjdk-6” source package in Oneiric:
Confirmed
Status in “openjdk-7” source package in Oneiric:
Confirmed
Bug description:
If the system contains at least one network interface in state "UP"
whose interface index (ifr_ifindex) is greater than 255, any calls to
java.net.NetworkInterface.getNetworkInterfaces() will fail horribly,
usually with a glibc-detected buffer overflow. This is on Ubuntu
11.10 amd64 with openjdk-6-jre-headless version
6b23~pre11-0ubuntu1.11.10.1 0
Interface index numbers can get quite large when we're on a system
where network interfaces are added and removed frequently. For
example, miredo (a teredo implementation) seems to create and destroy
a tuntap interface whenever we need to reestablish the teredo tunnel
-- which can be quite often on a laptop. High interface numbers can
also be induced artificially by repeatedly adding and removing, say, a
macvlan interface.
I'm attaching a simple shell script that demonstrates this bug, along
with the glibc buffer overflow crash output that results. I'm also
attaching a gdb backtrace.
The problem seems to be caused by the Linux version of the
enumIPv6Interfaces function in
openjdk/jdk/src/solaris/native/java/net/NetworkInterface.c, which
attempts to parse the contents of /proc/net/if_inet6. When we have an
interface with a high index, that file looks something like this:
> fe800000000000000000ffffffffffff 10b 40 20 80 teredo
> 20010000<--address-edited-out--> 10b 20 00 80 teredo
> fe80000000000000021558fffec629b6 02 40 20 80 eth0
> fe8000000000000002197efffec16a76 03 40 20 80 wlan0
> 00000000000000000000000000000001 01 80 10 80 lo
The second column contains the interface index in hex. Notice that it's normally two characters long, but it becomes longer when the index exceeds 255. However, enumIPv6Interfaces uses fscanf with the format string
"%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n"
which insists that the index is only two characters long. Thus, an index that's 3 chars long causes fscanf to give us lots of garbage, eventually resulting in a crash when we try to do something with the nonsense.
I'm attaching a patch that contains a simple fix. However, it might
be a good idea to find a better way to do this and replace this
fragile parsing stuff altogether, esp. since the kernel docs don't
even bother to document the format of /proc/net/if_inet6. (Netlink,
maybe? How does 'ip addr list' do it?)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/925218/+subscriptions
References