netbsd-bugs: Re: bin/839: pppd: bogus LCP echo failure

Subject: Re: bin/839: pppd: bogus LCP echo failure
To: None <sjg@zen.void.oz.au>
From: Mark Treacy <mark@labtam.oz.au>
List: netbsd-bugs
Date: 03/04/1995 13:50:17
you wrote:
>Ok, ppp session to a Sun (Sparcstation 10 running SunOS 4.1.3 and
>pppd-2.1.2b)  all humming happily.  At one point I pinged it for 338
>packes with only 2% loss.  Yet invariably NetBSD end shutsdown due to
>excessive LCP echo failures - while log clearly shows them being
>send/received ok.  I can only guess that this is an endian problem.

>>Fix:
Here's a slightly edited copy of some mail I sent Paul last year
regarding this bug.

To: Paul Mackerras <Paul.Mackerras@cs.anu.edu.au>
Subject: Patch for lcp echo request/reply bug, ppp 2.1.2
Date: Mon, 22 Aug 1994 14:16:30 +1000
From: Mark Treacy <mark@labtam.labtam.OZ.AU>

Hi Paul,
The lcp Echo-Reply packet construction and processing is not correct.
When an Echo-Request is received and the reply generated the packet
is incorrectly padded out with an additional 2 bytes.
When processing echo replies the length of the received reply is checked
to make sure it includes these additional 2 bytes.
This bug comes about because CILONG was used as the length of the
magic number field of the Echo packets.  As you know CIxxxx only pertains
to the length of the Configuration Information and should only be used
when manipulating configuration options (and the echo packets are not
configuration options, they're additional packet types).
I also added some syslog warnings to notify a user of the receive
processing problems.
Unfortunately older ppp code neglected to copy it's own magic number in
when constructing the reply, this, and the length errors, reduces the
utility of setting lcp-echo-failure to anything non zero.

 - Mark.
A patch to lcp.c follows,

------- lcp.c -------
*** /tmp/da0052J	Thu Jan  1 10:00:00 1970
--- lcp.c	Mon Aug 22 13:44:37 1994
***************
*** 290,297 ****
  	LCPDEBUG((LOG_INFO, "lcp: Echo-Request, Rcvd id %d", id));
  	magp = inp;
  	PUTLONG(lcp_gotoptions[f->unit].magicnumber, magp);
- 	if (len < CILEN_LONG)
- 	    len = CILEN_LONG;
  	fsm_sdata(f, ECHOREP, id, inp, len);
  	break;
      
--- 290,295 ----
***************
*** 1567,1578 ****
      u_long magic;
  
      /* Check the magic number - don't count replies from ourselves. */
!     if (len < CILEN_LONG)
  	return;
      GETLONG(magic, inp);
      if (lcp_gotoptions[f->unit].neg_magicnumber
! 	&& magic == lcp_gotoptions[f->unit].magicnumber)
  	return;
  
      /* Reset the number of outstanding echo frames */
      lcp_echos_pending = 0;
--- 1565,1582 ----
      u_long magic;
  
      /* Check the magic number - don't count replies from ourselves. */
!     if (len < 4) {
!     	syslog(LOG_WARNING, "lcp: received short Echo-Reply, len %d", len);
  	return;
+     }
      GETLONG(magic, inp);
      if (lcp_gotoptions[f->unit].neg_magicnumber
! 	&& magic == lcp_gotoptions[f->unit].magicnumber) {
!     	syslog(LOG_WARNING,
! 	    "lcp: Echo-Reply magic number error - sent %x, received %x",
! 	    lcp_gotoptions[f->unit].magicnumber, magic);
  	return;
+     }
  
      /* Reset the number of outstanding echo frames */
      lcp_echos_pending = 0;