NetBSD Problem Report #19069
Received: (qmail 352 invoked by uid 605); 16 Nov 2002 04:14:52 -0000
Message-Id: <20021116041433.F35897AF@starfruit.itojun.org>
Date: Sat, 16 Nov 2002 13:14:33 +0900 (JST)
From: itojun@itojun.org
Sender: gnats-bugs-owner@netbsd.org
Reply-To: itojun@itojun.org
To: gnats-bugs@gnats.netbsd.org
Subject: traceroute(8) and traceroute6(8) can send packet to udp port 0, which is illegal
X-Send-Pr-Version: 3.95
>Number: 19069
>Category: bin
>Synopsis: traceroute(8) and traceroute6(8) can send packet to udp port 0, which is illegal
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 16 04:15:00 +0000 2002
>Closed-Date: Sat Oct 07 10:25:02 +0000 2006
>Last-Modified: Thu May 13 18:20:02 +0000 2010
>Originator: Jun-ichiro itojun Hagino
>Release: NetBSD 1.6K
>Organization:
itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.6K NetBSD 1.6K (STARFRUIT) #23: Thu Nov 14 13:16:47 JST 2002 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
Architecture: i386
Machine: i386
>Description:
if you specify large starting port to traceroute(8) or traceroute6(8)
with -p, it can emit packet to udp port 0, which is illegal.
(source port 0 is legal, destinationi port 0 is illegal based on
udp spec)
>How-To-Repeat:
% traceroute -p 65530 coconut
# tcpdump -n -i wi0 udp
tcpdump: listening on wi0
13:09:40.933387 204.42.71.254.39022 > 219.101.47.130.65531: udp 12 [ttl 1]
13:09:40.935752 204.42.71.254.39022 > 219.101.47.130.65532: udp 12 [ttl 1]
13:09:40.943266 204.42.71.254.39022 > 219.101.47.130.65533: udp 12 [ttl 1]
13:09:40.945421 204.42.71.254.39022 > 219.101.47.130.65534: udp 12
13:09:40.950807 204.42.71.254.39022 > 219.101.47.130.65535: udp 12
13:09:40.953856 204.42.71.254.39022 > 219.101.47.130.0: udp 12 <---
13:09:40.957898 204.42.71.254.39022 > 219.101.47.130.1: udp 12
13:09:40.963449 204.42.71.254.39022 > 219.101.47.130.2: udp 12
13:09:40.968796 204.42.71.254.39022 > 219.101.47.130.3: udp 12
13:09:40.972650 204.42.71.254.39022 > 219.101.47.130.4: udp 12
13:09:40.993057 204.42.71.254.39022 > 219.101.47.130.5: udp 12
13:09:41.013815 204.42.71.254.39022 > 219.101.47.130.6: udp 12
13:09:41.034771 204.42.71.254.39022 > 219.101.47.130.7: udp 12
13:09:41.056732 204.42.71.254.39022 > 219.101.47.130.8: udp 12
13:09:41.078967 204.42.71.254.39022 > 219.101.47.130.9: udp 12
13:09:41.099369 204.42.71.254.39022 > 219.101.47.130.10: udp 12
13:09:41.180675 204.42.71.254.39022 > 219.101.47.130.11: udp 12
13:09:41.263266 204.42.71.254.39022 > 219.101.47.130.12: udp 12
13:09:41.344700 204.42.71.254.39022 > 219.101.47.130.13: udp 12
>Fix:
look for "port + seq" expression, and adjust them appropriately.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: elad@netbsd.org
State-Changed-When: Sat, 07 Oct 2006 10:25:02 +0000
State-Changed-Why:
fixed
From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: PR/19069 CVS commit: src/usr.sbin/traceroute
Date: Sat, 7 Oct 2006 10:23:34 +0000 (UTC)
Module Name: src
Committed By: elad
Date: Sat Oct 7 10:23:33 UTC 2006
Modified Files:
src/usr.sbin/traceroute: traceroute.c
Log Message:
PR/19069: Jun-ichiro itojun Hagino: traceroute(8) and traceroute6(8) can
send packet to udp port 0, which is illegal
To generate a diff of this commit:
cvs rdiff -r1.66 -r1.67 src/usr.sbin/traceroute/traceroute.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: PR/19069 CVS commit: src/usr.sbin/traceroute6
Date: Sat, 7 Oct 2006 10:24:48 +0000 (UTC)
Module Name: src
Committed By: elad
Date: Sat Oct 7 10:24:48 UTC 2006
Modified Files:
src/usr.sbin/traceroute6: traceroute6.c
Log Message:
PR/19069: Jun-ichiro itojun Hagino: traceroute(8) and traceroute6(8) can
send packet to udp port 0, which is illegal
To generate a diff of this commit:
cvs rdiff -r1.36 -r1.37 src/usr.sbin/traceroute6/traceroute6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: hsuenaga@iij.ad.jp
To: gnats-bugs@NetBSD.org
Cc:
Subject: traceroute6 can sned packet to udp port 0 on BIG-ENDIAN machines(fix of PR/19069 is defective).
Date: Thu, 13 May 2010 08:32:50 +0000 (UTC)
>Submitter-Id: net
>Originator: SUENAGA Hiroki
>Organization: Internet Initiative Japan Inc.
>Confidential: no
>Synopsis: traceroute6 can sned packet to udp port 0 on BIG-ENDIAN machines(fix of PR/19069 is defective).
>Severity: non-critical
>Priority: low
>Category: kern
>Class: sw-bug
>Release: NetBSD-3.1 and current
>Environment: found on embeded NetBSD-3.1(MIPS).
the problem can be found on NetBSD-current.
>Description:
traceroute6 can send packet to udp port 0 on BIG-ENDIAN machines when sequence number is 65535.
The BUG is here:
363 int
364 main(argc, argv)
....
867 if (!useicmp && htons(port + seq + 1) == 0)
868 seq++;
869 send_probe(++seq, hops);
line 867 and line 868 is fix code of PR/19069. But its are defective.
On BIG-ENDIAN machines, htons() is a NULL macro. so line 867 is preprocessed to
if (!useicmp && (port + seq + 1) == 0)
(port + seq + 1) is used as port number of uint16_t. But the variable 'seq' is int,
so the right hand of condition is false when port number becomes 0. 65536 is
not zero on line 867, but it becomes zero when cast to port number later.
On LITTLE-ENDIAN machines, htons() contains type cast to uint16_t. So it works fine.
>How-To-Repeat:
# traceroute6 -p 65535 <Target Address>
>Fix:
Cast to in_port_t before htons.
cvs diff: Diffing .
Index: traceroute6.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/traceroute6/traceroute6.c,v
retrieving revision 1.38
diff -u -w -p -r1.38 traceroute6.c
--- traceroute6.c 16 Feb 2009 20:36:11 -0000 1.38
+++ traceroute6.c 13 May 2010 08:16:55 -0000
@@ -864,7 +864,7 @@ main(argc, argv)
struct timeval t1, t2;
(void) gettimeofday(&t1, NULL);
- if (!useicmp && htons(port + seq + 1) == 0)
+ if (!useicmp && htons((in_port_t)(port + seq + 1)) == 0)
seq++;
send_probe(++seq, hops);
while ((cc = wait_for_reply(rcvsock, &rcvmhdr))) {
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/19069 CVS commit: src/usr.sbin/traceroute6
Date: Thu, 13 May 2010 14:19:18 -0400
Module Name: src
Committed By: christos
Date: Thu May 13 18:19:18 UTC 2010
Modified Files:
src/usr.sbin/traceroute6: traceroute6.c
Log Message:
PR/19069: SUENAGA Hiroki: Original fix was defective because on big endian
the expression is not truncated to 16 bits, thus sending to port 65536 makes
the == 0 test fail and the packet ends up being sent.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/traceroute6/traceroute6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home