Date: Mon, 18 Sep 2000 07:04:03 -0700 From: Julian Elischer <julian@elischer.org> To: Ben Schumacher <ben@henshaw.net> Cc: freebsd-net@freebsd.org Subject: Re: netgraph based MAC authentication (core dump information) Message-ID: <39C620D3.167EB0E7@elischer.org> References: <5.0.0.25.2.20000913221340.00a04950@pop.henshaw.net> <5.0.0.25.2.20000915183859.026c2310@pop.henshaw.net> <5.0.0.25.2.20000917182707.01c52a20@pop.henshaw.net>
next in thread | previous in thread | raw e-mail | index | archive | help
maybe someone can say what the trap address was...
BTW, next time set "set print pretty"
and "set radix 16"
Ben Schumacher wrote:
>
> #9 0xc022c723 in trap (frame={
> tf_fs = 16, tf_es = 16, tf_ds = 16,
> tf_edi = -918835756, tf_esi = -1065955662,
> tf_ebp = -918835836, tf_isp = -918835860,
> tf_ebx = -16369088, tf_edx = 65534,
> tf_ecx = -1065955682, tf_eax = 0,
> tf_trapno = 12, tf_err = 0,
> tf_eip = -1072107089, tf_cs = 8,
> tf_eflags = 66178,
> tf_esp = -1065955840, tf_ss = -918835756})
> at ../../i386/i386/trap.c:426
> #10 0xc018f1af in in_broadcast (in={s_addr = 4278598208}, ifp=0x0) at
> ../../netinet/in.c:736
looking at this I wonder if the problim is actually 2 lines
further down at line 738. ifp is 0x00
and it is dereferenced there.
> #11 0xc019a446 in udp_input (m=0xc076ce00, off=20, proto=17) at
> ../../netinet/udp_usrreq.c:238
> #12 0xc01921e9 in ip_input (m=0xc076ce00) at ../../netinet/ip_input.c:738
> #13 0xc0192247 in ipintr () at ../../netinet/ip_input.c:766
> #14 0xc021fd65 in swi_net_next ()
> #15 0xc015d72d in sendit (p=0xc89c3260, s=4, mp=0xc93baf10, flags=0) at
> ../../kern/uipc_syscalls.c:520
> #16 0xc015d821 in sendto (p=0xc89c3260, uap=0xc93baf80) at
> ../../kern/uipc_syscalls.c:572
> #17 0xc022d195 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
> tf_edi = -1078004048, tf_esi = 671511360,
> tf_ebp = -1078004024, tf_isp = -918835244, tf_ebx = 671511548,
> tf_edx = -1078003928, tf_ecx = -7,
> tf_eax = 133, tf_trapno = 7, tf_err = 2, tf_eip = 671741624, tf_cs =
> 31, tf_eflags = 647,
> tf_esp = -1078004116, tf_ss = 47}) at ../../i386/i386/trap.c:1126
> #18 0xc021e905 in Xint0x80_syscall ()
> #19 0x8048add in ?? ()
> #20 0x8048651 in ?? ()
> (kgdb) up 10
> #10 0xc018f1af in in_broadcast (in={s_addr = 4278598208}, ifp=0x0) at
> ../../netinet/in.c:736
> 736 if (in.s_addr == INADDR_BROADCAST ||
> (kgdb) list
> 731 struct ifnet *ifp;
> 732 {
> 733 register struct ifaddr *ifa;
> 734 u_long t;
> 735
> 736 if (in.s_addr == INADDR_BROADCAST ||
> 737 in.s_addr == INADDR_ANY)
> 738 return 1;
> 739 if ((ifp->if_flags & IFF_BROADCAST) == 0)
> 740 return 0;
> (kgdb) print in
> $1 = {s_addr = 6422528}
> (kgdb) print in.s_addr
> $2 = 6422528
> (kgdb) up
> #11 0xc019a446 in udp_input (m=0xc076ce00, off=20, proto=17) at
> ../../netinet/udp_usrreq.c:238
> 238 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
> (kgdb) up
> #12 0xc01921e9 in ip_input (m=0xc076ce00) at ../../netinet/ip_input.c:738
> 738 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, off, nh);
> (kgdb) up
> #13 0xc0192247 in ipintr () at ../../netinet/ip_input.c:766
> 766 ip_input(m);
Now, this is actually possible.
and in fact almost any UDP packet might cause this problem.
it seems that the packet you are reinjecting into the
system does not include a pointer to theinterface it comes from,
and udp_input() is calling in_broadcast with this packet's ifp
pointer which is NULL.
try the following patch..
Index: ng_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netgraph/ng_ether.c,v
retrieving revision 1.9
diff -u -r1.9 ng_ether.c
--- ng_ether.c 2000/09/01 00:28:03 1.9
+++ ng_ether.c 2000/09/18 14:03:13
@@ -657,6 +657,7 @@
m->m_data += sizeof(*eh);
m->m_len -= sizeof(*eh);
m->m_pkthdr.len -= sizeof(*eh);
+ m->m_pkthdr.rcvif = priv->ifp;
/* Route packet back in */
NG_FREE_META(meta);
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000
---> X_.---._/ presently in: Perth
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39C620D3.167EB0E7>