kern/55779: NetBSD multicast router sends multicast packet with invalid UDP checksum

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/55779: NetBSD multicast router sends multicast packet with invalid UDP checksum
From: kardel%netbsd.org@localhost
Date: Mon, 2 Nov 2020 16:40:00 +0000 (UTC)

>Number:         55779
>Category:       kern
>Synopsis:       NetBSD multicast router sends multicast packet with invalid UDP checksum
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 02 16:40:00 +0000 2020
>Originator:     Frank Kardel
>Release:        NetBSD 9.0_STABLE/-current
>Organization:
	
>Environment:
	
	
System: NetBSD sunaj 9.0_STABLE NetBSD 9.0_STABLE (ROUTER) #2: Tue Oct 20 09:55:21 UTC 2020 kardel@sunaj:/src/NetBSD/n9/src/obj.amd64/sys/arch/amd64/compile/ROUTER amd64
Architecture: x86_64
Machine: amd64
>Description:
	Configure a kernel to support MROUTING,PIM.
	Use a routing suite like FRRouting (FRRouting.org - see wip/frr)
	UDP checksumming must be enabled
	Start the routing suite just for RIP and observe RIP packets with
	invalid checksums being sent.

	Analysis:
	udp_output() correctly sets up m->m_pkthdr.csum_flags = M_CSUM_UDPv4.
	in the ip_output the path following MROUTING section is reached:

            if (ip_mrouter && (flags & IP_FORWARDING) == 0) {
                    if (ip_mforward(m, ifp) != 0) {
                            m_freem(m);
                            goto done;
                    }
            }

	at this point m->m_pkthdr.csum_flags ==  M_CSUM_UDPv4. after the
	call to ip_mforward m->m_pkthdr.csum_flags is zero.

	this is caused by commit 1.112->1.113:
-------
revision 1.113
date: 2008-05-08 08:00:55 +0000;  author: taca;  state: Exp;  lines: +7 -2;
Make sure to clear csum_flags before forward the packet.

This change should be fix DIAGNOSTIC kernel's panic when the machine act
as multicast router.

Advised from tls@ and approved by thorpej@.
-------
	The zeroing of m->m_pkthdr.csum_flags directly violates the
	guarantee from the boilerplate comment:

 * The packet is returned unscathed to the caller, unless it is
 * erroneous, in which case a non-zero return value tells the caller to
 * discard it.

	this is problematic as we lose the M_CSUM_UDPv4 information which
	in turn causes *NO UDP checksums* for multicast packets to be
	calculated.
	
>How-To-Repeat:
	see Description:
>Fix:
	Crude fix 1:
		restore m->m_pkthdr.csum_flags after ip_mforward call.

	Crude fix 2:
		wrap ip_mforward with flag restoration.

	Alternate fixes:
		Is the diagnostic issue gone after 12 years?
			yes - remove the zeroing
			no - examine the actual root cause

>Unformatted:

Prev by Date: Re: kern/55664: rump race condition
Next by Date: Re: kern/55664: rump race condition
Previous by Thread: port-evbarm/55778: evbarm64 GENERIC64 kernel fails to build with clang
Next by Thread: Re: kern/55774 (Kernel panics if another PC is powered on with serial cable attached between two)
Indexes:

Home | Main Index | Thread Index | Old Index