>Number:         9387
>Category:       kern
>Synopsis:       Forwarding loop on down interfaces
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 10 04:18:00 2000
>Last-Modified:
>Originator:     NARITA Tomio
>Organization:
NARITA Tomio
nrt@iij.ad.jp
Internet Initiative Japan, Inc.
>Release:        NetBSD-current
>Environment:
Latest-current

>Description:

When a packet whose destination address is one of local
DOWN interface is passed to ip_input(), the packet is
forwarded to loopback interface over and over again
until TTL expires.

>How-To-Repeat:

ifconfig [interface] down
traceroute [address relevant to the interface]

>Fix:

When a packet is destined to DOWN interface,
kernel reacts to that with ICMP Host Unreachable.

I think the ICMP message may be ignored if the source address
is also destined to DOWN interface.

*** ip_input.c.orig	Thu Feb 10 20:58:51 2000
--- ip_input.c	Thu Feb 10 20:38:16 2000
***************
*** 488,494 ****
  	/*
  	 * Check our list of addresses, to see if the packet is for us.
  	 */
! 	INADDR_TO_IA(ip->ip_dst, ia);
  	if (ia != NULL)
  		goto ours;
  	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
--- 488,505 ----
  	/*
  	 * Check our list of addresses, to see if the packet is for us.
  	 */
! 	for (ia = IN_IFADDR_HASH(ip->ip_dst.s_addr).lh_first;
! 	     ia != NULL;
! 	     ia = ia->ia_hash.le_next) {
! 		if (in_hosteq(ia->ia_addr.sin_addr, ip->ip_dst) )
! 		    if ( (ia->ia_ifp->if_flags & IFF_UP) != 0 )
! 			break;
! 		    else {
! 		        icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST,
! 				   0, m->m_pkthdr.rcvif);
! 		        return;
! 		    }
! 	}
  	if (ia != NULL)
  		goto ours;
  	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
>Audit-Trail:
>Unformatted: