NetBSD Problem Report #56995
From lloyd@fog.must-have-coffee.gen.nz Sun Sep 4 19:28:18 2022
Return-Path: <lloyd@fog.must-have-coffee.gen.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id DDB171A921F
for <gnats-bugs@gnats.NetBSD.org>; Sun, 4 Sep 2022 19:28:17 +0000 (UTC)
Message-Id: <20220904192812.C6EC3F029@fog.must-have-coffee.gen.nz>
Date: Mon, 5 Sep 2022 07:28:12 +1200 (NZST)
From: lloyd@must-have-coffee.gen.nz
Reply-To: lloyd@fog.must-have-coffee.gen.nz
To: gnats-bugs@NetBSD.org
Subject: dhcrelay dumps core when sending DHCP response packets
X-Send-Pr-Version: 3.95
>Number: 56995
>Category: bin
>Synopsis: dhcrelay dumps core when sending DHCP response packets
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 04 19:30:00 +0000 2022
>Last-Modified: Mon Sep 05 06:45:01 +0000 2022
>Originator: Lloyd Parkes
>Release: NetBSD 9.3
>Organization:
Must Have Coffee
>Environment:
System: System: NetBSD drumhunter.must-have-coffee.gen.nz 9.3_STABLE NetBSD 9.3_STABLE (SERIAL) #0: Sat Sep 3 11:51:37 NZST 2022 lloyd@riftsweeper.must-have-coffee.gen.nz:/home/lloyd/NetBSD/objdir/sys/arch/amd64/compile/SERIAL amd64
Architecture: x86_64
Machine: amd64
>Description:
When dhcrelay tries to relay the DHCP response to the client it dumps
core with SIGSEGV. The backtrace shows that it is crashing at
packet.c:167? in assemble_udp_ip_header().
#0 0x000000000b421b7d in assemble_udp_ip_header (interface=<optimized out>,
buf=0x77712edeeb70 "E\020\001S", bufix=0x77712edeeb1c,
from=<optimized out>, to=<optimized out>, port=17408,
data=0xb66c3a0 <fallback_interface> "", len=1392578629)
at /home/lloyd/NetBSD/src/external/mpl/dhcp/lib/common/../../dist/common/packet.c:167
The line in question is
udp.uh_sport = *libdhcp_callbacks.local_port /* XXX */
The problem is that the struct libdhcp_callbacks contains only null
pointers.
I labelled this problem "serious" because dhcrelay always seems to
dump core, but "low" because I guess nobody (else) is running dhcrelay
on NetBSD.
>How-To-Repeat:
Run dhcrelay and wait. I ran it as
dhcrelay -d -4 -iu wm0 -id wm2 10.0.1.9
Changing the command line parameters with respect to whether or not
interfaces were designated as upstream, downstream or both didn't
prevent the core dump.
>Fix:
diff -r d841a31059bd -r 52ddfe4d5e41 external/mpl/dhcp/dist/common/packet.c
--- a/external/mpl/dhcp/dist/common/packet.c Sat Sep 03 09:11:47 2022 +1200
+++ b/external/mpl/dhcp/dist/common/packet.c Sat Sep 03 09:47:06 2022 +1200
@@ -133,16 +133,10 @@
/* UDP header and IP header assembled together for convenience. */
-void assemble_udp_ip_header (interface, buf, bufix,
- from, to, port, data, len)
- struct interface_info *interface;
- unsigned char *buf;
- unsigned *bufix;
- u_int32_t from;
- u_int32_t to;
- u_int32_t port;
- unsigned char *data;
- unsigned len;
+void
+assemble_udp_ip_header (struct interface_info *interface, unsigned char *buf,
+ unsigned *bufix, u_int32_t from, u_int32_t to,
+ u_int32_t port, unsigned char *data, unsigned len)
{
struct ip ip;
struct udphdr udp;
@@ -170,7 +164,7 @@
*bufix += sizeof ip;
/* Fill out the UDP header */
- udp.uh_sport = *libdhcp_callbacks.local_port; /* XXX */
+ udp.uh_sport = libdhcp_callbacks.local_port ? *libdhcp_callbacks.local_port : htons(67); /* XXX */
udp.uh_dport = port; /* XXX */
#if defined(RELAY_PORT)
/* Change to relay port defined if sending to server */
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/56995: dhcrelay dumps core when sending DHCP response packets
Date: Mon, 5 Sep 2022 06:43:36 -0000 (UTC)
lloyd@must-have-coffee.gen.nz writes:
>#0 0x000000000b421b7d in assemble_udp_ip_header (interface=<optimized out>,
> buf=0x77712edeeb70 "E\020\001S", bufix=0x77712edeeb1c,
> from=<optimized out>, to=<optimized out>, port=17408,
> data=0xb66c3a0 <fallback_interface> "", len=1392578629)
> at /home/lloyd/NetBSD/src/external/mpl/dhcp/lib/common/../../dist/common/packet.c:167
>The line in question is
> udp.uh_sport = *libdhcp_callbacks.local_port /* XXX */
There are other lines where local_port isn't assumed to be
initialized correctly.
>The problem is that the struct libdhcp_callbacks contains only null
>pointers.
Callbacks are initialized from a global variable:
extern u_int16_t local_port;
libdhcp_callbacks_t dhcrelay_callbacks = {
&local_port,
&remote_port,
classify,
check_collection,
dhcp,
#ifdef DHCPv6
dhcpv6,
#endif /* DHCPv6 */
bootp,
find_class,
parse_allow_deny,
dhcp_set_control_state,
};
and are supposed to be registered (copied to the global libdhcp_callbacks)
at the very beginning of main()......
except that in the netbsd-9.3 sources that line is missing. Looks like
a mistake when merging with upstream sources in 2018..
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.