NetBSD Problem Report #46580

From t-hash@abox3.so-net.ne.jp  Mon Jun 11 01:12:04 2012
Return-Path: <t-hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id D891363B882
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 11 Jun 2012 01:12:03 +0000 (UTC)
Message-Id: <201206110111.q5B1Bwlc002066@mx61.ms.so-net.ne.jp>
Date: Mon, 11 Jun 2012 10:11:59 +0900
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: rtadvd may send RA packet with bad ND option

>Number:         46580
>Category:       bin
>Synopsis:       rtadvd may send RA packet with bad ND option
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    msaitoh
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 11 01:15:00 +0000 2012
>Closed-Date:    Wed Aug 08 04:07:43 +0000 2012
>Last-Modified:  Wed Aug 08 15:40:06 +0000 2012
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 6.99.7 (201206071450Z)
>Organization:
>Environment:
System: NetBSD ruin 6.99.7 NetBSD 6.99.7 (MONOLITHIC) #0: Thu Jun  7 22:27:34 UTC 2012  builds@b6.netbsd.org:/home/builds/ab/HEAD/i386/201206071450Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/MONOLITHIC i386
Architecture: i386
Machine: i386
>Description:
rtadvd(8) sends RA packet with bad ND option(type=0, length=0)
when the interface is described in rtadvd.conf.
This prevents clients from updating prefix.
This problem doesn't happen if rtadvd.conf does not exist or
rtadvd.conf does not include the config about propagating interface.

trying to run rtadvd in debug mode.

# ifconfig tap0 create up
# echo 'tap0:addr="fd00::":prefixlen#64:' > /tmp/ra.conf
# sysctl -w net.inet6.ip6.forwarding=1
# rtadvd -dfD -c /tmp/ra.conf tap0

rtadvd receives RA from himself and complains about it.

rtadvd[520]: <ra_input> RA received from fe80::f00b:a4ff:fe1f:2a02 on tap0
rtadvd[520]: <nd6_options> bad ND option length(0) (type = 0)
rtadvd[520]: <ra_input> ND option check failed for an RA from fe80::f00b:a4ff:fe1f:2a02 on tap0

tcpdump says RA has excess 32 bytes zeros.

# tcpdump -i tap0 -nvXX
09:26:38.146318 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::f00b:a4ff:fe1f:2a02 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
          source link-address option (1), length 8 (1): f2:0b:a4:1f:2a:02
          prefix info option (3), length 32 (4): fd00::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s[ndp opt]
        0x0000:  3333 0000 0001 f20b a41f 2a02 86dd 6000  33........*...`.
        0x0010:  0000 0058 3aff fe80 0000 0000 0000 f00b  ...X:...........
        0x0020:  a4ff fe1f 2a02 ff02 0000 0000 0000 0000  ....*...........
        0x0030:  0000 0000 0001 8600 ae0d 4000 0708 0000  ..........@.....
        0x0040:  0000 0000 0000 0101 f20b a41f 2a02 0304  ............*...
        0x0050:  40c0 0027 8d00 0009 3a80 0000 0000 fd00  @..'....:.......
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000       ..............

>How-To-Repeat:
Please see Description.
>Fix:
No idea.


>Release-Note:

>Audit-Trail:
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/46580: rtadvd may send RA packet with bad ND option
Date: Sun, 17 Jun 2012 18:42:55 +0900

 Does this patch look good?

 - start num of prefixes(tmp->pfxs) with 0, not 1.
   tmp->prefix is TAILQ of the prefixes that are
   described in config so that pfxs should start with 0.
 - inclease num of prefixes(rai->pfxs) in get_prefix()
   if valid prefixes are found.
   (get_prefix() is called when tmp->prefix is empty)

 Index: src/usr.sbin/rtadvd/config.c
 ===================================================================
 RCS file: /cvsroot/src/usr.sbin/rtadvd/config.c,v
 retrieving revision 1.27
 diff -u -p -r1.27 config.c
 --- src/usr.sbin/rtadvd/config.c	11 Dec 2011 20:44:44 -0000	1.27
 +++ src/usr.sbin/rtadvd/config.c	15 Jun 2012 09:38:57 -0000
 @@ -290,7 +290,7 @@ getconfig(const char *intface)
  	MAYHAVE(val, "clockskew", 0);
  	tmp->clockskew = val;

 -	tmp->pfxs++;
 +	tmp->pfxs = 0;
  	TAILQ_INIT(&tmp->prefix);
  	for (i = -1; i < MAXPREFIX; i++) {
  		struct prefix *pfx;
 @@ -763,6 +763,7 @@ get_prefix(struct rainfo *rai)

  		/* link into chain */
  		TAILQ_INSERT_TAIL(&rai->prefix, pp, next);
 +		rai->pfxs++;
  	}

  	freeifaddrs(ifap);

Responsible-Changed-From-To: bin-bug-people->msaitoh
Responsible-Changed-By: msaitoh@NetBSD.org
Responsible-Changed-When: Wed, 08 Aug 2012 04:07:43 +0000
Responsible-Changed-Why:
mine.


State-Changed-From-To: open->closed
State-Changed-By: msaitoh@NetBSD.org
State-Changed-When: Wed, 08 Aug 2012 04:07:43 +0000
State-Changed-Why:
fixed in -current. Thanks.


From: "SAITOH Masanobu" <msaitoh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/46580 CVS commit: src/usr.sbin/rtadvd
Date: Wed, 8 Aug 2012 04:05:26 +0000

 Module Name:	src
 Committed By:	msaitoh
 Date:		Wed Aug  8 04:05:26 UTC 2012

 Modified Files:
 	src/usr.sbin/rtadvd: config.c

 Log Message:
 Fix a bug that incorrect RA packet is sent if rtadvd.conf exists.
 Fixes PR#46580 reported by Takahiro HAYASHI.


 To generate a diff of this commit:
 cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/rtadvd/config.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: msaitoh@NetBSD.org
Subject: Re: PR/46580 CVS commit: src/usr.sbin/rtadvd
Date: Wed, 08 Aug 2012 21:19:19 +0900

 Thank you for fixing the probrem.

 Could you please fix also rtadvd of netbsd-6?
 That has completely same code with HEAD except revisions.

 On Wed,  8 Aug 2012 04:10:06 +0000 (UTC)
 "SAITOH Masanobu" <msaitoh@netbsd.org> wrote:

 > The following reply was made to PR bin/46580; it has been noted by GNATS.
 > 
 > From: "SAITOH Masanobu" <msaitoh@netbsd.org>
 > To: gnats-bugs@gnats.NetBSD.org
 > Cc: 
 > Subject: PR/46580 CVS commit: src/usr.sbin/rtadvd
 > Date: Wed, 8 Aug 2012 04:05:26 +0000
 > 
 >  Module Name:	src
 >  Committed By:	msaitoh
 >  Date:		Wed Aug  8 04:05:26 UTC 2012
 >  
 >  Modified Files:
 >  	src/usr.sbin/rtadvd: config.c
 >  
 >  Log Message:
 >  Fix a bug that incorrect RA packet is sent if rtadvd.conf exists.
 >  Fixes PR#46580 reported by Takahiro HAYASHI.

 --
 t-hash

From: Julian Coleman <jdc@coris.org.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: PR/46580 CVS commit: src/usr.sbin/rtadvd
Date: Wed, 8 Aug 2012 13:37:00 +0100

 Hello Hayashi-san,

 >  Could you please fix also rtadvd of netbsd-6?
 >  That has completely same code with HEAD except revisions.

 This change is in the pull-up request queue for netbsd-6:

   http://releng.netbsd.org/cgi-bin/req-6.cgi?show=465

 Thanks,

 J

 -- 
   My other computer also runs NetBSD    /        Sailing at Newbiggin
         http://www.netbsd.org/        /   http://www.newbigginsailingclub.org/

From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@netbsd.org
Cc: jdc@coris.org.uk, msaitoh@netbsd.org, gnats-admin@netbsd.org,
        netbsd-bugs@netbsd.org
Subject: Re: PR/46580 CVS commit: src/usr.sbin/rtadvd
Date: Thu, 09 Aug 2012 00:24:41 +0900

 On Wed,  8 Aug 2012 12:40:03 +0000 (UTC)
 Julian Coleman <jdc@coris.org.uk> wrote:

 > The following reply was made to PR bin/46580; it has been noted by GNATS.
 > 
 > From: Julian Coleman <jdc@coris.org.uk>
 > To: gnats-bugs@NetBSD.org
 > Cc: 
 > Subject: Re: PR/46580 CVS commit: src/usr.sbin/rtadvd
 > Date: Wed, 8 Aug 2012 13:37:00 +0100
 > 
 >  Hello Hayashi-san,
 >  
 >  >  Could you please fix also rtadvd of netbsd-6?
 >  >  That has completely same code with HEAD except revisions.
 >  
 >  This change is in the pull-up request queue for netbsd-6:
 >  
 >    http://releng.netbsd.org/cgi-bin/req-6.cgi?show=465

 I did not check the pullup tickets list.
 Thank you for notification.

 --
 t-hash

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/46580 CVS commit: [netbsd-6] src/usr.sbin/rtadvd
Date: Wed, 8 Aug 2012 15:37:49 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Wed Aug  8 15:37:49 UTC 2012

 Modified Files:
 	src/usr.sbin/rtadvd [netbsd-6]: config.c

 Log Message:
 Pull up following revision(s) (requested by msaitoh in ticket #465):
 	usr.sbin/rtadvd/config.c: revision 1.28
 Fix a bug that incorrect RA packet is sent if rtadvd.conf exists.
 Fixes PR#46580 reported by Takahiro HAYASHI.


 To generate a diff of this commit:
 cvs rdiff -u -r1.27 -r1.27.2.1 src/usr.sbin/rtadvd/config.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.