system/2375: Use of socket option SO_LINGER with high li_linger values causes a kernel panic

[Joseph Ishac <jishac@grc.nasa.gov>]

>Number:         2375
>Category:       system
>Synopsis:       Use of socket option SO_LINGER may cause kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb  4 15:30:02 MST 2002
>Last-Modified:
>Originator:     Joseph Ishac
>Organization:
NASA Glenn Research Center
net
>Release:        2.9
>Environment:
        System      : OpenBSD 2.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        Setting the li_linger value (part of the SO_LINGER socket option) to a large value
        (ex. 50000) will cause a kernel panic.  The panic seems to occur at the end of a transfer,
        probably when closing the socket.
        
>How-To-Repeat:
        Source code for ttcp with SO_LINGER support at:
        http://roland.grc.nasa.gov/~jishac/tools/ttcp/ttcp.linger.c
        
        Grab source above and compile with:  gcc -o ttcp ttcp.linger.c
        
        To replicate:
          --2 Machines--
        OpenBSD2.9_machine2$ ttcp -r -s -b240000
        OpenBSD2.9_machine1$ ttcp -t -b240000 -L50000 [destination machine] < [some file]
        
          --1 Machine--
        OpenBSD2.9_machine1$ ttcp -r -s -b240000 &
        OpenBSD2.9_machine1$ ttcp -t -b240000 -L50000 localhost < [some file]
        
        I've tried the 2 machine scenario several times and it always resulted in a kernel panic.
	I have not tried this with one machine, but I would imagine it having the same effect.
	As a note, the size of my input file was 289600 bytes.
>Fix:
        My guess is that it is a problem with the linger data structure defined in <sys/socket.h>.
        Perhaps an overflow or something similar.  However I have not been able to look into it.

>Audit-Trail:
>Unformatted: