From owner-freebsd-bugs@FreeBSD.ORG  Thu May 19 22:00:27 2011
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E80071065675
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 May 2011 22:00:27 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id ABE158FC1F
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 May 2011 22:00:27 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p4JM0RNR079546
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 May 2011 22:00:27 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p4JM0RG7079544;
	Thu, 19 May 2011 22:00:27 GMT (envelope-from gnats)
Resent-Date: Thu, 19 May 2011 22:00:27 GMT
Resent-Message-Id: <201105192200.p4JM0RG7079544@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Peter Losher <plosher@isc.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C8B5106566B
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 May 2011 21:53:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4D15A8FC1F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 May 2011 21:53:57 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4JLrvbM004173
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 May 2011 21:53:57 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p4JLrvtH004172;
	Thu, 19 May 2011 21:53:57 GMT (envelope-from nobody)
Message-Id: <201105192153.p4JLrvtH004172@red.freebsd.org>
Date: Thu, 19 May 2011 21:53:57 GMT
From: Peter Losher <plosher@isc.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/157188: libpcap 
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2011 22:00:28 -0000


>Number:         157188
>Category:       misc
>Synopsis:       libpcap
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 19 22:00:27 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Peter Losher
>Release:        8.2-RELEASE
>Organization:
Internet Systems Consortium
>Environment:
FreeBSD freebsd8.lab.isc.org 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
One of our engineers @ISC discovered that there is a bug in the currently released version of libpcap (in base and in ports) that can be triggered when using an "ip6 protochain" filter.  It's due to the fairly complicated BPF bytecode that libpcap generates for IPv6 header chasing combined with a sign extension bug when processing JA (jump absolute) opcodes.  (JA is used to go backwards and without sign extension on 64 bit platforms the BPF interpreter incorrectly jumps forward... a lot.)

>How-To-Repeat:
root@freebsd8:~# tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58'
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
Segmentation fault: 11 (core dumped)

>Fix:
There is a fix in the libpcap repository:

https://github.com/mcr/libpcap/commit/ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7

but the tcpdump-workers have been pretty tardy about putting out newer code, so it sits there stalled.

With the patch applied, it all works well and you should see something like this:

-=-
$ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58' 
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6, multicast listener queryv2  [gaddr ::], length 28
-=-

>Release-Note:
>Audit-Trail:
>Unformatted: