Subject: bin/9976: dhcpd seg faults in supersede_lease()
To: None <gnats-bugs@gnats.netbsd.org>
From: None <thorpej@shagadelic.org>
List: netbsd-bugs
Date: 04/25/2000 00:03:13
>Number:         9976
>Category:       bin
>Synopsis:       dhcpd seg faults in supersede_lease()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 25 00:04:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jason R Thorpe
>Release:        April 24, 2000
>Organization:
6th and Hugo Software
>Environment:
	
System: NetBSD yeah-baby 1.4X NetBSD 1.4X (YEAH-BABY) #50: Sat Apr 22 15:47:06 PDT 2000 thorpej@yeah-baby:/u1/netbsd/src/sys/arch/alpha/compile/YEAH-BABY alpha


>Description:
	The new DHCP server seg faults in supersede_lease() attempting
	to record the offer it is making to a client.

	Info from the debugger:

(gdb) where
#0  0x12001867c in supersede_lease (comp=0x120159f00, lease=0x1ffffdb78, 
    commit=0) at /u1/netbsd/src/usr.sbin/dhcp/server/mdb.c:956
#1  0x120007518 in ack_lease (packet=0x120180800, lease=0x120159f00, offer=2, 
    when=956644501, 
    msg=0x1ffffdd48 "DHCPDISCOVER from 00:10:7a:15:27:e4 via tlp0", 
    ms_nulltp=0) at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:1575
#2  0x1200038a4 in dhcpdiscover (packet=0x120180800, ms_nulltp=0)
    at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:166
#3  0x120003520 in dhcp (packet=0x120180800)
    at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:79
#4  0x120035dd0 in do_packet (interface=0x120180500, packet=0x1ffffe288, 
    len=300, from_port=17408, from={len = 4, 
      iabuf = "\000\000\000\000\005\000\000\000\000\000\000\000Jäÿÿ"}, 
    hfrom=0x1ffffe258) at /u1/netbsd/src/usr.sbin/dhcp/common/options.c:1377
#5  0x12001b24c in got_one (h=0x120180500)
    at /u1/netbsd/src/usr.sbin/dhcp/common/discover.c:687
#6  0x12003ded8 in omapi_one_dispatch (wo=0x1201788a0, t=0x0)
    at /u1/netbsd/src/usr.sbin/dhcp/omapip/dispatch.c:268
#7  0x120019bc8 in dispatch ()
    at /u1/netbsd/src/usr.sbin/dhcp/common/dispatch.c:92
#8  0x1200030f4 in main (argc=538324352, argv=0x2e52, envp=0x20)
    at /u1/netbsd/src/usr.sbin/dhcp/server/dhcpd.c:498
(gdb) print comp->next
$3 = (struct lease *) 0x0
(gdb) print comp->prev
$4 = (struct lease *) 0x0
(gdb) print comp->pool
$5 = (struct pool *) 0x0
(gdb) print *comp
$6 = {type = 0x0, refcnt = 0, handle = 0, outer = 0x0, inner = 0x0, 
  next = 0x0, prev = 0x0, n_uid = 0x0, n_hw = 0x0, waitq_next = 0x0, 
  ip_addr = {len = 4, iabuf = "а\002¦ÿÿÿÿÿÿÿÿl\215\003 "}, 
  starts = 956644381, ends = 0, timestamp = 0, uid = 0x120159f78 "DR-EVIL", 
  uid_len = 7, uid_max = 32, uid_buf = "DR-EVIL", '\000' <repeats 24 times>, 
  hostname = 0x0, client_hostname = 0x0, scope = {outer = 0x0, 
    bindings = 0x0}, host = 0x120180200, subnet = 0x120180000, pool = 0x0, 
  billing_class = 0x0, hardware_addr = {hlen = 7 '\a', 
    hbuf = "\001\000\020z\025'ä\000\000\000\000\000\000\000\000\000"}, 
  on_expiry = 0x0, on_commit = 0x0, on_release = 0x0, flags = 0, state = 0x0, 
  tstp = 0, tsfp = 0, cltt = 0}

The lease object appears to be fresh, yet supersede_lease() is attempting
to remove it from the hash chains.

The client (A) just happens to have send a client identifier that is the
same as another system (B) sends, and the other system also happens to have
a valid lease, on a different network interface on the server.  If (A) does
NOT send the duplicate client identifier, then dhcpd works properly.

>How-To-Repeat:
	Seems to be triggered by two different clients sending the same
	client identifier (can you tell I'm configuring my new laptop?).

>Fix:
	Not provided.  I looked at the code for a while trying to figure
	out what was going on, but it's getting late.
>Release-Note:
>Audit-Trail:
>Unformatted: