traceroute6 can sned packet to udp port 0 on BIG-ENDIAN machines(fix of PR/19069 is defective).

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,itojun%itojun.org@localhost
Subject: traceroute6 can sned packet to udp port 0 on BIG-ENDIAN machines(fix of PR/19069 is defective).
From: hsuenaga%iij.ad.jp@localhost
Date: Thu, 13 May 2010 08:35:01 +0000 (UTC)

The following reply was made to PR bin/19069; it has been noted by GNATS.

From: hsuenaga%iij.ad.jp@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: traceroute6 can sned packet to udp port 0 on BIG-ENDIAN machines(fix 
of PR/19069 is defective).
Date: Thu, 13 May 2010 08:32:50 +0000 (UTC)

 >Submitter-Id: net
 >Originator:   SUENAGA Hiroki
 >Organization: Internet Initiative Japan Inc.
 >Confidential: no
 >Synopsis:     traceroute6 can sned packet to udp port 0 on BIG-ENDIAN 
 >machines(fix of PR/19069 is defective).
 >Severity:     non-critical
 >Priority:     low
 >Category:     kern
 >Class:                sw-bug
 >Release:      NetBSD-3.1 and current
 >Environment:  found on embeded NetBSD-3.1(MIPS).
 the problem can be found on NetBSD-current.
 >Description:
 traceroute6 can send packet to udp port 0 on BIG-ENDIAN machines when sequence 
number is 65535.

 The BUG is here:

  363 int
  364 main(argc, argv)
  ....
  867                         if (!useicmp && htons(port + seq + 1) == 0)
  868                                 seq++;
  869                         send_probe(++seq, hops);

 line 867 and line 868 is fix code of PR/19069. But its are defective.

 On BIG-ENDIAN machines, htons() is a NULL macro.  so line 867 is preprocessed 
to

   if (!useicmp && (port + seq + 1) == 0)

 (port + seq + 1) is used as port number of uint16_t.  But the variable 'seq' 
is int,
 so the right hand of condition is false when port number becomes 0. 65536 is
 not zero on line 867, but it becomes zero when cast to port number later.

 On LITTLE-ENDIAN machines, htons() contains type cast to uint16_t. So it works 
fine.

 >How-To-Repeat:
 # traceroute6 -p 65535 <Target Address>

 >Fix:
 Cast to in_port_t before htons.

 cvs diff: Diffing .
 Index: traceroute6.c
 ===================================================================
 RCS file: /cvsroot/src/usr.sbin/traceroute6/traceroute6.c,v
 retrieving revision 1.38
 diff -u -w -p -r1.38 traceroute6.c
 --- traceroute6.c       16 Feb 2009 20:36:11 -0000      1.38
 +++ traceroute6.c       13 May 2010 08:16:55 -0000
 @@ -864,7 +864,7 @@ main(argc, argv)
                         struct timeval t1, t2;

                         (void) gettimeofday(&t1, NULL);
 -                       if (!useicmp && htons(port + seq + 1) == 0)
 +                       if (!useicmp && htons((in_port_t)(port + seq + 1)) == 
0)
                                 seq++;
                         send_probe(++seq, hops);
                         while ((cc = wait_for_reply(rcvsock, &rcvmhdr))) {

Prev by Date: Re: port-m68k/35561 (gcc-3.3.3 generates invalid assembly code on m68k platform)
Next by Date: Re: install/43297 ([dM] 4.0.1 INSTALL kernel font size is problematic)
Previous by Thread: Re: kern/43261 (Keyboard driver doesn't tolerate minor hardware faults)
Next by Thread: Re: install/43297 ([dM] 4.0.1 INSTALL kernel font size is problematic)
Indexes:

Home | Main Index | Thread Index | Old Index