netbsd-bugs: kern/1693: bug in if

Subject: kern/1693: bug in if_loop.c
To: None <gnats-bugs@gnats.netbsd.org>
From: None <Jean-Luc.Richier@imag.fr>
List: netbsd-bugs
Date: 10/25/1995 15:29:16
>Number:         1693
>Category:       kern
>Synopsis:       tcpdump shows abnormal packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 25 12:50:01 1995
>Last-Modified:
>Originator:     Jean-Luc Richier
>Organization:
IMAG
>Release:        NetBSD-current source: octobre 11
>Environment:
sun netbsd-1.0A current, sparc, 2 ethernet interfaces
System: NetBSD ganesha.imag.fr 1.0A NetBSD 1.0A (GANESHAv6) #2: Thu Oct 12 09:18:43 MET 1995 richier@ganesha.imag.fr:/usr/src/sys/arch/sparc/compile/GANESHAv6 sparc


>Description:
	
The problem :
I have a NetBSD machine with 2 interfaces and the gated daemon.

Using tcpdump on an ethernet interface le0, the output shows abnormal packets,
with curious ethernet addresses and type.
The analysis shows that:
- an incorrect packet is received each time a RIP broadcast packet is sent;
- the content of the incorrect packet is the content of the RIP packet,
  shifted by 10 bytes.

The cause is as follows :
- the RIP packet, broadcasted, is sent down to the ethernet leoutput routine
- leouput detects that the interface is opened by bpf and sends a (correct) copy
  of the message to the bpf filter and to tcpdump
- leoutput detects that the packet is a broadcast, and, as le0 is a SIMPLEX
  interface, sends a copy of the packet to the machine via looutput
- leoutput is called with ifp=interface_le0. It detects that the interface
  is in bpf mode, and therefore sends a copy of the packet to bpf and tcpdump
Therefore the packet is passed twice to bpf.
But there is another problem with the second copy: it is passed with a
DLT_NULL(4 bytes header). Tcpdump receives it and believes that it comes from
the opened interface le0, and therefore has a DLT_10M (14 bytes) header.
Therefore tcpdump is unable to interpret the packet.

>How-To-Repeat:
see above
>Fix:

CORRECTION:
The second copy made by looutput is incorrect; looutput should call bpf only
for packets sent directly through the lo0 interface.
The suggested patch is as follow:

*** /usr/src/sys/net/if_loop.c.PB	Tue Aug 15 17:32:30 1995
--- /usr/src/sys/net/if_loop.c	Thu Oct 12 09:18:11 1995
***************
*** 126,132 ****
  		panic("looutput: no header mbuf");
  	ifp->if_lastchange = time;
  #if NBPFILTER > 0
! 	if (ifp->if_bpf) {
  		/*
  		 * We need to prepend the address family as
  		 * a four byte field.  Cons up a dummy header
--- 126,133 ----
  		panic("looutput: no header mbuf");
  	ifp->if_lastchange = time;
  #if NBPFILTER > 0
! 		/* bpf test only on lo interface, not for SIMPLEX interfaces */
! 	if (ifp->if_bpf && (ifp->if_flags&IFF_LOOPBACK)) {
  		/*
  		 * We need to prepend the address family as
  		 * a four byte field.  Cons up a dummy header
>Audit-Trail:
>Unformatted: