From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 15 15:20:03 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D2B337B401 for ; Tue, 15 Jul 2003 15:20:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0418F43F93 for ; Tue, 15 Jul 2003 15:20:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6FMK0Up010657 for ; Tue, 15 Jul 2003 15:20:00 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6FMK0Vj010656; Tue, 15 Jul 2003 15:20:00 -0700 (PDT) Resent-Date: Tue, 15 Jul 2003 15:20:00 -0700 (PDT) Resent-Message-Id: <200307152220.h6FMK0Vj010656@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Anders Nordby Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C69C37B401; Tue, 15 Jul 2003 15:14:18 -0700 (PDT) Received: from totem.fix.no (totem.fix.no [80.91.36.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D8CC43F3F; Tue, 15 Jul 2003 15:14:17 -0700 (PDT) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 0E70F2024E; Wed, 16 Jul 2003 00:14:56 +0200 (CEST) Message-Id: <20030715221456.0E70F2024E@totem.fix.no> Date: Wed, 16 Jul 2003 00:14:56 +0200 (CEST) From: Anders Nordby To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: murray@FreeBSD.org cc: obrien@FreeBSD.org Subject: bin/54517: dhclient core dumps on negative ip address leasetime X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Anders Nordby List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 22:20:03 -0000 >Number: 54517 >Category: bin >Synopsis: dhclient core dumps on negative ip address leasetime >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 15 15:20:00 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Anders Nordby >Release: FreeBSD 5.1-RELEASE i386 >Organization: Fluxpod Information eXchange >Environment: System: FreeBSD lappy 5.1-RELEASE FreeBSD 5.1-RELEASE #8: Mon Jul 14 23:15:40 CEST 2003 root@lappy:/usr/obj/usr/src/sys/LAPPY i386 >Description: I was trying out some ISDN routers with broken config/hardware at work, and found dhclient on my laptop to be dumping core when getting a DHCPACK with the ip address leastime set to -1 from one of them (a Cisco 760 series router). GDB tells me (when I have compiled dhclient with CFLAGS="-O -pipe -g" and installed it with STRIP=""): root@lappy:~# gdb /sbin/dhclient GNU gdb 5.2.1 (FreeBSD) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-undermydesk-freebsd"... (gdb) run fxp0 Starting program: /sbin/dhclient fxp0 Program received signal SIGFPE, Arithmetic exception. 0x0804b3db in dhcpack (packet=0x8118380) at /usr/src/contrib/isc-dhcp/client/dhclient.c:801 801 client -> new -> renewal = (((client -> new -> renewal + 3) * 3 / 4) + (gdb) bt #0 0x0804b3db in dhcpack (packet=0x8118380) at /usr/src/contrib/isc-dhcp/client/dhclient.c:801 #1 0x0804bb7d in dhcp (packet=0x8118380) at /usr/src/contrib/isc-dhcp/client/dhclient.c:1054 #2 0x080646e1 in do_packet (interface=0x8118000, packet=0xbfbfe9b0, len=548, from_port=17152, from= {len = 4, iabuf = "À¨\022\021\020\021©\226\0\0\0\0ÿÿÿÿ"}, hfrom=0xbfbff9d0) at /usr/src/contrib/isc-dhcp/common/options.c:2212 #3 0x08067754 in got_one (h=0x0) at /usr/src/contrib/isc-dhcp/common/discover.c:783 #4 0x08083192 in omapi_one_dispatch (wo=0x0, t=0xbfbffc28) at /usr/src/contrib/isc-dhcp/omapip/dispatch.c:418 #5 0x0804fb68 in dispatch () at /usr/src/contrib/isc-dhcp/common/dispatch.c:103 #6 0x0804ad2b in main (argc=2, argv=0xbfbffcd0, envp=0xbfbffcdc) at /usr/src/contrib/isc-dhcp/client/dhclient.c:477 #7 0x08048145 in _start () (gdb) q The program is running. Exit anyway? (y or n) y You can fetch a core dump and dhcpdump data off http://anders.fix.no/test/dhclient/. My patch below is inspired by OpenBSD bug ID 1077 (http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=1077) and their patch to src/usr.sbin/dhcp/dhclient/dhclient.c (diff between revision 1.11 and 1.12). >How-To-Repeat: Set up a DHCP server that offers negative (-1) IP address lease time, try to get a DHCP lease with dhclient in FreeBSD. Possibly, other negative or zero values will also crash dhclient. More investigation is needed. The problem should be the same in -stable/4.x, I first discovered it there. >Fix: --- contrib/isc-dhcp/client/dhclient.c.orig Mon Mar 24 00:29:36 2003 +++ contrib/isc-dhcp/client/dhclient.c Tue Jul 15 23:32:26 2003 @@ -798,6 +798,7 @@ client -> new -> expiry / 2; /* Now introduce some randomness to the renewal time: */ + if (ds.data) client -> new -> renewal = (((client -> new -> renewal + 3) * 3 / 4) + (random () % /* XXX NUMS */ ((client -> new -> renewal + 3) / 4))); >Release-Note: >Audit-Trail: >Unformatted: