NetBSD Problem Report #56995

From lloyd@fog.must-have-coffee.gen.nz  Sun Sep  4 19:28:18 2022
Return-Path: <lloyd@fog.must-have-coffee.gen.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id DDB171A921F
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  4 Sep 2022 19:28:17 +0000 (UTC)
Message-Id: <20220904192812.C6EC3F029@fog.must-have-coffee.gen.nz>
Date: Mon,  5 Sep 2022 07:28:12 +1200 (NZST)
From: lloyd@must-have-coffee.gen.nz
Reply-To: lloyd@fog.must-have-coffee.gen.nz
To: gnats-bugs@NetBSD.org
Subject: dhcrelay dumps core when sending DHCP response packets
X-Send-Pr-Version: 3.95

>Number:         56995
>Category:       bin
>Synopsis:       dhcrelay dumps core when sending DHCP response packets
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 04 19:30:00 +0000 2022
>Last-Modified:  Mon Sep 05 06:45:01 +0000 2022
>Originator:     Lloyd Parkes
>Release:        NetBSD 9.3
>Organization:
Must Have Coffee
>Environment:
System: System: NetBSD drumhunter.must-have-coffee.gen.nz 9.3_STABLE NetBSD 9.3_STABLE (SERIAL) #0: Sat Sep  3 11:51:37 NZST 2022  lloyd@riftsweeper.must-have-coffee.gen.nz:/home/lloyd/NetBSD/objdir/sys/arch/amd64/compile/SERIAL amd64
Architecture: x86_64
Machine: amd64
>Description:

When dhcrelay tries to relay the DHCP response to the client it dumps
core with SIGSEGV. The backtrace shows that it is crashing at
packet.c:167? in assemble_udp_ip_header(). 

#0  0x000000000b421b7d in assemble_udp_ip_header (interface=<optimized out>, 
    buf=0x77712edeeb70 "E\020\001S", bufix=0x77712edeeb1c, 
    from=<optimized out>, to=<optimized out>, port=17408, 
    data=0xb66c3a0 <fallback_interface> "", len=1392578629)
    at /home/lloyd/NetBSD/src/external/mpl/dhcp/lib/common/../../dist/common/packet.c:167

The line in question is
    udp.uh_sport = *libdhcp_callbacks.local_port /* XXX */

The problem is that the struct libdhcp_callbacks contains only null
pointers.

I labelled this problem "serious" because dhcrelay always seems to
dump core, but "low" because I guess nobody (else) is running dhcrelay
on NetBSD.

>How-To-Repeat:

Run dhcrelay and wait. I ran it as
	dhcrelay -d -4 -iu wm0 -id wm2 10.0.1.9

Changing the command line parameters with respect to whether or not
interfaces were designated as upstream, downstream or both didn't
prevent the core dump.

>Fix:

diff -r d841a31059bd -r 52ddfe4d5e41 external/mpl/dhcp/dist/common/packet.c
--- a/external/mpl/dhcp/dist/common/packet.c	Sat Sep 03 09:11:47 2022 +1200
+++ b/external/mpl/dhcp/dist/common/packet.c	Sat Sep 03 09:47:06 2022 +1200
@@ -133,16 +133,10 @@

 /* UDP header and IP header assembled together for convenience. */

-void assemble_udp_ip_header (interface, buf, bufix,
-			     from, to, port, data, len)
-	struct interface_info *interface;
-	unsigned char *buf;
-	unsigned *bufix;
-	u_int32_t from;
-	u_int32_t to;
-	u_int32_t port;
-	unsigned char *data;
-	unsigned len;
+void
+assemble_udp_ip_header (struct interface_info *interface, unsigned char *buf,
+			unsigned *bufix, u_int32_t from, u_int32_t to,
+			u_int32_t port, unsigned char *data, unsigned len)
 {
 	struct ip ip;
 	struct udphdr udp;
@@ -170,7 +164,7 @@
 	*bufix += sizeof ip;

 	/* Fill out the UDP header */
-	udp.uh_sport = *libdhcp_callbacks.local_port;		/* XXX */
+	udp.uh_sport = libdhcp_callbacks.local_port ? *libdhcp_callbacks.local_port : htons(67);		/* XXX */
 	udp.uh_dport = port;			/* XXX */
 #if defined(RELAY_PORT)
 	/* Change to relay port defined if sending to server */

>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/56995: dhcrelay dumps core when sending DHCP response packets
Date: Mon, 5 Sep 2022 06:43:36 -0000 (UTC)

 lloyd@must-have-coffee.gen.nz writes:

 >#0  0x000000000b421b7d in assemble_udp_ip_header (interface=<optimized out>, 
 >    buf=0x77712edeeb70 "E\020\001S", bufix=0x77712edeeb1c, 
 >    from=<optimized out>, to=<optimized out>, port=17408, 
 >    data=0xb66c3a0 <fallback_interface> "", len=1392578629)
 >    at /home/lloyd/NetBSD/src/external/mpl/dhcp/lib/common/../../dist/common/packet.c:167

 >The line in question is
 >    udp.uh_sport = *libdhcp_callbacks.local_port /* XXX */

 There are other lines where local_port isn't assumed to be
 initialized correctly.


 >The problem is that the struct libdhcp_callbacks contains only null
 >pointers.

 Callbacks are initialized from a global variable:

 extern u_int16_t local_port;

 libdhcp_callbacks_t dhcrelay_callbacks = {
         &local_port,
         &remote_port,
         classify,
         check_collection,
         dhcp,
 #ifdef DHCPv6
         dhcpv6,
 #endif /* DHCPv6 */
         bootp,
         find_class,
         parse_allow_deny,
         dhcp_set_control_state,
 };

 and are supposed to be registered (copied to the global libdhcp_callbacks)
 at the very beginning of main()......

 except that in the netbsd-9.3 sources that line is missing. Looks like
 a mistake when merging with upstream sources in 2018..

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.