Subject: kern/7003: NetBSD sends and receive IP pkts with multicast source address
To: None <gnats-bugs@gnats.netbsd.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: netbsd-bugs
Date: 02/14/1999 13:02:19
>Number:         7003
>Category:       kern
>Synopsis:       NetBSD sends and receive IP pkts  with multicast source address
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 14 13:05:00 1999
>Last-Modified:
>Originator:     Jonathan Stone
>Organization:
	
>Release:        NetBSD 1.3H as at November 15, 1998
>Environment:
	
System: NetBSD Cuisinart.Stanford.EDU 1.3I NetBSD 1.3I (CVS-EGCS) #3: Sat Jan 30 18:46:32 PST 1999 jonathan@Cuisinart.Stanford.EDU:/cuisinart/compile/CVS-EGCS pmax


>Description:
	Under some circumstances, NetBSD 1.3H sends packets with  a
	class-D source address. This violates RFC-1112, sec. 6.2. [page 5}:

   The IP source address of the outgoing datagram must be one of the
   individual addresses corresponding to the outgoing interface.

   A host group address must never be placed in the source address field
   or anywhere in a source route or record route option of an outgoing
   IP datagram.

Netbsd 1.3H also seems accepts such packet, passing them up to
userlevel, instead of silently dropping them. That contravenes
RFC-1112, sec. 7.2:

   An incoming datagram is not rejected for having an IP time-to-live of
   1 (i.e., the time-to-live should not automatically be decremented on
   arriving datagrams that are not being forwarded).  An incoming
                                                      ^^^^^^^^^^^
   datagram with an IP host group address in its source address field is
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   quietly discarded.  An ICMP error message (Destination Unreachable,
   ^^^^^^^^^^^^^^^^^^
   Time Exceeded, Parameter Problem, Source Quench, or Redirect) is
   never generated in response to a datagram destined to an IP host
   group.



>How-To-Repeat:
	I configured a NetBSD 1.3H host as a multicast NTP server
	by adding 
		broadcast 224.0.1.1 key 6 ttl 2

	to /etc/ntp.conf on the multicast NTP server.
	I configured a number  of formerly-unicast hosts as
	multicast peers, by adding:

		enable auth monitor bclient     # enable the good stuff
		multicastclient 224.0.1.1

	to the client NTP machines. The clients also contained
		server <multicast-server-address>
	lines.  (authentication setup elided).

	The clients received the multicast NTP just fine, but when
	they attempt to do a unicast NTP query to the server,
	(using the old unicast config), the server replies with
	packets with a _source_ address of 224.0.1.1.
	That's the first bug.

	The second bug

>Fix:

	The packet-input side is easy: add a check for a multicast
	source address in ip_intr():
	
	if (IN_MULTICAST(ip->ip_src.s_addr)) {
		goto bad;
	}

	I'm not sure about the sending side.
	``the same source works on Linux''.
	ktrace shows that  xntpd is doing sendto(). Perhaps it's an artifact
	of sendto() to INADDR_ANY, on a socket which has been bound to
	receive packets _from_ the multicast group address?
>Audit-Trail:
>Unformatted: