bin/46580: rtadvd may send RA packet with bad ND option

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/46580: rtadvd may send RA packet with bad ND option
From: Takahiro HAYASHI <t-hash%abox3.so-net.ne.jp@localhost>
Date: Mon, 11 Jun 2012 01:15:01 +0000 (UTC)

>Number:         46580
>Category:       bin
>Synopsis:       rtadvd may send RA packet with bad ND option
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 11 01:15:00 +0000 2012
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 6.99.7 (201206071450Z)
>Organization:
>Environment:
System: NetBSD ruin 6.99.7 NetBSD 6.99.7 (MONOLITHIC) #0: Thu Jun  7 22:27:34 
UTC 2012  
builds%b6.netbsd.org@localhost:/home/builds/ab/HEAD/i386/201206071450Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/MONOLITHIC
 i386
Architecture: i386
Machine: i386
>Description:
rtadvd(8) sends RA packet with bad ND option(type=0, length=0)
when the interface is described in rtadvd.conf.
This prevents clients from updating prefix.
This problem doesn't happen if rtadvd.conf does not exist or
rtadvd.conf does not include the config about propagating interface.

trying to run rtadvd in debug mode.

# ifconfig tap0 create up
# echo 'tap0:addr="fd00::":prefixlen#64:' > /tmp/ra.conf
# sysctl -w net.inet6.ip6.forwarding=1
# rtadvd -dfD -c /tmp/ra.conf tap0

rtadvd receives RA from himself and complains about it.

rtadvd[520]: <ra_input> RA received from fe80::f00b:a4ff:fe1f:2a02 on tap0
rtadvd[520]: <nd6_options> bad ND option length(0) (type = 0)
rtadvd[520]: <ra_input> ND option check failed for an RA from 
fe80::f00b:a4ff:fe1f:2a02 on tap0

tcpdump says RA has excess 32 bytes zeros.

# tcpdump -i tap0 -nvXX
09:26:38.146318 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 88) 
fe80::f00b:a4ff:fe1f:2a02 > ff02::1: [icmp6 sum ok] ICMP6, router 
advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, 
reachable time 0s, retrans time 0s
          source link-address option (1), length 8 (1): f2:0b:a4:1f:2a:02
          prefix info option (3), length 32 (4): fd00::/64, Flags [onlink, 
auto], valid time 2592000s, pref. time 604800s[ndp opt]
        0x0000:  3333 0000 0001 f20b a41f 2a02 86dd 6000  33........*...`.
        0x0010:  0000 0058 3aff fe80 0000 0000 0000 f00b  ...X:...........
        0x0020:  a4ff fe1f 2a02 ff02 0000 0000 0000 0000  ....*...........
        0x0030:  0000 0000 0001 8600 ae0d 4000 0708 0000  ..........@.....
        0x0040:  0000 0000 0000 0101 f20b a41f 2a02 0304  ............*...
        0x0050:  40c0 0027 8d00 0009 3a80 0000 0000 fd00  @..'....:.......
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0000 0000 0000 0000 0000 0000 0000       ..............

>How-To-Repeat:
Please see Description.
>Fix:
No idea.

Prev by Date: I just explored that I always wanted to have an online love affair. Could you take part?
Next by Date: port-amd64/46581: Continuous pthread_create may fail on amd64
Previous by Thread: I just explored that I always wanted to have an online love affair. Could you take part?
Next by Thread: Re: bin/46580: rtadvd may send RA packet with bad ND option
Indexes:

Home | Main Index | Thread Index | Old Index