freebsd stable - Feb 2017 - net.inet.udp.log_in_vain strange syslog reports

11.0-RELEASE-p7, net.inet.udp.log_in_vain=1

The following syslog entries seem to indicate some buffer overruns
in the reporting code (not all log lines are broken, just some).

(the actual failed connection attempts were indeed there,
it's just that the reported IP address is highly suspicious)

   Mark


Connection attempt to UDP 193.2.4.2:53 from 95.87.1521242:26375
Connection attempt to UDP 193.2.4.2:53 from 95.87.1521242:55806
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:54530
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:55504
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:54530
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:49526
Connection attempt to UDP 193.2.4.2:53 from 95.8231520242:56838
Connection attempt to UDP 193.2.4.2:53 from 95.8231520242:32768
Connection attempt to UDP 193.2.4.2:53 from 95.8241523242:5387
Connection attempt to UDP 193.2.4.2:53 from 95.8241523242:54530
Connection attempt to UDP 193.2.4.2:53 from 21.823154.242:46692
Connection attempt to UDP 193.2.4.2:53 from 21.823154.242:32768
Connection attempt to UDP 193.2.4.2:53 from 19387.154.242:51931
Connection attempt to UDP 193.2.4.2:53 from 19387.154.242:59881
Connection attempt to UDP 193.2.4.2:53 from 212873154.242:53424
Connection attempt to UDP 193.2.4.2:53 from 212873154.242:53937
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:46692
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:52594
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:59639
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:50869
Connection attempt to UDP 193.2.4.2:53 from 19382.1587242:55806
Connection attempt to UDP 193.2.4.2:53 from 19382.1587242:54650
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:54322
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:49871
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:57807
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:51931
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:52930
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:50869
Connection attempt to UDP 193.2.4.2:53 from 212823152.242:56838
Connection attempt to UDP 193.2.4.2:53 from 212823152.242:32768
Connection attempt to UDP 193.2.4.2:53 from 21.8231521242:63724
Connection attempt to UDP 193.2.4.2:53 from 21.8231521242:55222
Connection attempt to UDP 193.2.4.2:53 from 1948249.230.46:52599
Connection attempt to UDP 193.2.4.2:53 from 1948249.230.46:38496
Connection attempt to UDP 193.2.4.2:53 from 2128235.209.250:43608
Connection attempt to UDP 193.2.4.2:53 from 2128235.209.250:47257
Connection attempt to UDP 193.2.4.2:53 from 19387.1594242:54324
Connection attempt to UDP 193.2.4.2:53 from 19387.1594242:34613
Connection attempt to UDP 193.2.4.2:53 from 2128235.2124180:54377
Connection attempt to UDP 193.2.4.2:53 from 2128235.2124180:50869
Connection attempt to UDP 193.2.4.2:53 from 95.87.1547242:51698
Connection attempt to UDP 193.2.4.2:53 from 95.87.1547242:55222
Connection attempt to UDP 193.2.4.2:53 from 193.2.4.2242:55222
Connection attempt to UDP 193.2.4.2:53 from 19.8241523242:38496
Connection attempt to UDP 193.2.4.2:53 from 19.8241523242:55135
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:50370
Connection attempt to UDP 193.2.4.2:53 from 95.824154.242:64533
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:55222
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:56228
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:53424
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:61230
Connection attempt to UDP 193.2.4.2:53 from 212823154.242:59716
Connection attempt to UDP 193.2.4.2:53 from 212823154.242:53424
Connection attempt to UDP 193.2.4.2:53 from 19387.154.242:36439
Connection attempt to UDP 193.2.4.2:53 from 19387.154.242:60638
Connection attempt to UDP 193.2.4.2:53 from 19387.1521242:59008
Connection attempt to UDP 193.2.4.2:53 from 19387.1521242:35505
Connection attempt to UDP 193.2.4.2:53 from 19.824154.242:54322
Connection attempt to UDP 193.2.4.2:53 from 19.824154.242:30943
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:51752
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:35165
Connection attempt to UDP 193.2.4.2:53 from 95.87.1587242:36439
Connection attempt to UDP 193.2.4.2:53 from 95.87.1587242:57311
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:36439
Connection attempt to UDP 193.2.4.2:53 from 19387.1587242:59280
Connection attempt to UDP 193.2.4.2:53 from 19487.154.242:53424
Connection attempt to UDP 193.2.4.2:53 from 19487.154.242:53247
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:35165
Connection attempt to UDP 193.2.4.2:53 from 95.823154.242:50473
Connection attempt to UDP 193.2.4.2:53 from 21287.154.242:56838
Connection attempt to UDP 193.2.4.2:53 from 21287.154.242:63658
Connection attempt to UDP 193.2.4.2:53 from 21287.154.242:54322
Connection attempt to UDP 193.2.4.2:53 from 21287.154.242:60637

On 02/02/2017 12:55, Mark Martinec wrote:
> 11.0-RELEASE-p7, net.inet.udp.log_in_vain=1
>
> The following syslog entries seem to indicate some buffer overruns
> in the reporting code (not all log lines are broken, just some).
>
> (the actual failed connection attempts were indeed there,
> it's just that the reported IP address is highly suspicious)
>
>   Mark
>
>
> Connection attempt to UDP 193.2.4.2:53 from 95.87.1521242:26375
There is no buffer overrun, so no cause for alarm.  The problem is concurrent 
usage of a single string buffer by multiple threads.  The buffer is inside 
inet_ntoa(), defined in sys/libkern/inet_ntoa.c.  In this case, it is called 
from udp_input().

Would you like to test the following patch?

Eric


diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 173c44c..ca2dda1 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -674,13 +674,13 @@ udp_input(struct mbuf **mp, int *offp, int proto)
                     INPLOOKUP_RLOCKPCB, ifp, m);
         if (inp == NULL) {
                 if (udp_log_in_vain) {
-                       char buf[4*sizeof "123"];
+                       char src[4*sizeof "123"];
+                       char dst[4*sizeof "123"];

-                       strcpy(buf, inet_ntoa(ip->ip_dst));
                         log(LOG_INFO,
                             "Connection attempt to UDP %s:%d from
%s:%d\n",
-                           buf, ntohs(uh->uh_dport),
inet_ntoa(ip->ip_src),
-                           ntohs(uh->uh_sport));
+                           inet_ntoa_r(ip->ip_dst, dst),
ntohs(uh->uh_dport),
+                           inet_ntoa_r(ip->ip_src, src),
ntohs(uh->uh_sport));
                 }
                 UDPSTAT_INC(udps_noport);
                 if (m->m_flags & (M_BCAST | M_MCAST)) {