Subject: bin/9976: dhcpd seg faults in supersede_lease()
To: None <gnats-bugs@gnats.netbsd.org>
From: None <thorpej@shagadelic.org>
List: netbsd-bugs
Date: 04/25/2000 00:03:13
>Number: 9976
>Category: bin
>Synopsis: dhcpd seg faults in supersede_lease()
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 25 00:04:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Jason R Thorpe
>Release: April 24, 2000
>Organization:
6th and Hugo Software
>Environment:
System: NetBSD yeah-baby 1.4X NetBSD 1.4X (YEAH-BABY) #50: Sat Apr 22 15:47:06 PDT 2000 thorpej@yeah-baby:/u1/netbsd/src/sys/arch/alpha/compile/YEAH-BABY alpha
>Description:
The new DHCP server seg faults in supersede_lease() attempting
to record the offer it is making to a client.
Info from the debugger:
(gdb) where
#0 0x12001867c in supersede_lease (comp=0x120159f00, lease=0x1ffffdb78,
commit=0) at /u1/netbsd/src/usr.sbin/dhcp/server/mdb.c:956
#1 0x120007518 in ack_lease (packet=0x120180800, lease=0x120159f00, offer=2,
when=956644501,
msg=0x1ffffdd48 "DHCPDISCOVER from 00:10:7a:15:27:e4 via tlp0",
ms_nulltp=0) at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:1575
#2 0x1200038a4 in dhcpdiscover (packet=0x120180800, ms_nulltp=0)
at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:166
#3 0x120003520 in dhcp (packet=0x120180800)
at /u1/netbsd/src/usr.sbin/dhcp/server/dhcp.c:79
#4 0x120035dd0 in do_packet (interface=0x120180500, packet=0x1ffffe288,
len=300, from_port=17408, from={len = 4,
iabuf = "\000\000\000\000\005\000\000\000\000\000\000\000Jäÿÿ"},
hfrom=0x1ffffe258) at /u1/netbsd/src/usr.sbin/dhcp/common/options.c:1377
#5 0x12001b24c in got_one (h=0x120180500)
at /u1/netbsd/src/usr.sbin/dhcp/common/discover.c:687
#6 0x12003ded8 in omapi_one_dispatch (wo=0x1201788a0, t=0x0)
at /u1/netbsd/src/usr.sbin/dhcp/omapip/dispatch.c:268
#7 0x120019bc8 in dispatch ()
at /u1/netbsd/src/usr.sbin/dhcp/common/dispatch.c:92
#8 0x1200030f4 in main (argc=538324352, argv=0x2e52, envp=0x20)
at /u1/netbsd/src/usr.sbin/dhcp/server/dhcpd.c:498
(gdb) print comp->next
$3 = (struct lease *) 0x0
(gdb) print comp->prev
$4 = (struct lease *) 0x0
(gdb) print comp->pool
$5 = (struct pool *) 0x0
(gdb) print *comp
$6 = {type = 0x0, refcnt = 0, handle = 0, outer = 0x0, inner = 0x0,
next = 0x0, prev = 0x0, n_uid = 0x0, n_hw = 0x0, waitq_next = 0x0,
ip_addr = {len = 4, iabuf = "а\002¦ÿÿÿÿÿÿÿÿl\215\003 "},
starts = 956644381, ends = 0, timestamp = 0, uid = 0x120159f78 "DR-EVIL",
uid_len = 7, uid_max = 32, uid_buf = "DR-EVIL", '\000' <repeats 24 times>,
hostname = 0x0, client_hostname = 0x0, scope = {outer = 0x0,
bindings = 0x0}, host = 0x120180200, subnet = 0x120180000, pool = 0x0,
billing_class = 0x0, hardware_addr = {hlen = 7 '\a',
hbuf = "\001\000\020z\025'ä\000\000\000\000\000\000\000\000\000"},
on_expiry = 0x0, on_commit = 0x0, on_release = 0x0, flags = 0, state = 0x0,
tstp = 0, tsfp = 0, cltt = 0}
The lease object appears to be fresh, yet supersede_lease() is attempting
to remove it from the hash chains.
The client (A) just happens to have send a client identifier that is the
same as another system (B) sends, and the other system also happens to have
a valid lease, on a different network interface on the server. If (A) does
NOT send the duplicate client identifier, then dhcpd works properly.
>How-To-Repeat:
Seems to be triggered by two different clients sending the same
client identifier (can you tell I'm configuring my new laptop?).
>Fix:
Not provided. I looked at the code for a while trying to figure
out what was going on, but it's getting late.
>Release-Note:
>Audit-Trail:
>Unformatted: