bin/56995: dhcrelay dumps core when sending DHCP response packets

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/56995: dhcrelay dumps core when sending DHCP response packets
From: lloyd%must-have-coffee.gen.nz@localhost
Date: Sun, 4 Sep 2022 19:30:01 +0000 (UTC)

>Number:         56995
>Category:       bin
>Synopsis:       dhcrelay dumps core when sending DHCP response packets
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 04 19:30:00 +0000 2022
>Originator:     Lloyd Parkes
>Release:        NetBSD 9.3
>Organization:
Must Have Coffee
>Environment:
System: System: NetBSD drumhunter.must-have-coffee.gen.nz 9.3_STABLE NetBSD 9.3_STABLE (SERIAL) #0: Sat Sep  3 11:51:37 NZST 2022  lloyd%riftsweeper.must-have-coffee.gen.nz@localhost:/home/lloyd/NetBSD/objdir/sys/arch/amd64/compile/SERIAL amd64
Architecture: x86_64
Machine: amd64
>Description:

When dhcrelay tries to relay the DHCP response to the client it dumps
core with SIGSEGV. The backtrace shows that it is crashing at
packet.c:167? in assemble_udp_ip_header(). 

#0  0x000000000b421b7d in assemble_udp_ip_header (interface=<optimized out>, 
    buf=0x77712edeeb70 "E\020\001S", bufix=0x77712edeeb1c, 
    from=<optimized out>, to=<optimized out>, port=17408, 
    data=0xb66c3a0 <fallback_interface> "", len=1392578629)
    at /home/lloyd/NetBSD/src/external/mpl/dhcp/lib/common/../../dist/common/packet.c:167

The line in question is
    udp.uh_sport = *libdhcp_callbacks.local_port /* XXX */

The problem is that the struct libdhcp_callbacks contains only null
pointers.

I labelled this problem "serious" because dhcrelay always seems to
dump core, but "low" because I guess nobody (else) is running dhcrelay
on NetBSD.

>How-To-Repeat:

Run dhcrelay and wait. I ran it as
	dhcrelay -d -4 -iu wm0 -id wm2 10.0.1.9

Changing the command line parameters with respect to whether or not
interfaces were designated as upstream, downstream or both didn't
prevent the core dump.

>Fix:

diff -r d841a31059bd -r 52ddfe4d5e41 external/mpl/dhcp/dist/common/packet.c
--- a/external/mpl/dhcp/dist/common/packet.c	Sat Sep 03 09:11:47 2022 +1200
+++ b/external/mpl/dhcp/dist/common/packet.c	Sat Sep 03 09:47:06 2022 +1200
@@ -133,16 +133,10 @@
 
 /* UDP header and IP header assembled together for convenience. */
 
-void assemble_udp_ip_header (interface, buf, bufix,
-			     from, to, port, data, len)
-	struct interface_info *interface;
-	unsigned char *buf;
-	unsigned *bufix;
-	u_int32_t from;
-	u_int32_t to;
-	u_int32_t port;
-	unsigned char *data;
-	unsigned len;
+void
+assemble_udp_ip_header (struct interface_info *interface, unsigned char *buf,
+			unsigned *bufix, u_int32_t from, u_int32_t to,
+			u_int32_t port, unsigned char *data, unsigned len)
 {
 	struct ip ip;
 	struct udphdr udp;
@@ -170,7 +164,7 @@
 	*bufix += sizeof ip;
 
 	/* Fill out the UDP header */
-	udp.uh_sport = *libdhcp_callbacks.local_port;		/* XXX */
+	udp.uh_sport = libdhcp_callbacks.local_port ? *libdhcp_callbacks.local_port : htons(67);		/* XXX */
 	udp.uh_dport = port;			/* XXX */
 #if defined(RELAY_PORT)
 	/* Change to relay port defined if sending to server */

Prev by Date: Re: kern/56994 (wm(4) panic on attach in interrupt_distribute, sometimes)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: kern/56994 (wm(4) panic on attach in interrupt_distribute, sometimes)
Next by Thread: Re: bin/56995: dhcrelay dumps core when sending DHCP response packets
Indexes:

Home | Main Index | Thread Index | Old Index