From owner-freebsd-hackers  Sun Feb 19 04:57:37 1995
Return-Path: hackers-owner
Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id EAA01862 for hackers-outgoing; Sun, 19 Feb 1995 04:57:37 -0800
Received: from Princeton.EDU (root@Princeton.EDU [128.112.128.1]) by freefall.cdrom.com (8.6.9/8.6.6) with SMTP id EAA01856 for <freebsd-hackers@FreeBSD.org>; Sun, 19 Feb 1995 04:57:33 -0800
Received: by Princeton.EDU (5.65b/2.115/princeton)
	id AA20800; Sun, 19 Feb 95 07:41:54 -0500
To: tcp-ip@pucc.Princeton.EDU
Xref: princeton comp.bugs.4bsd:741 comp.unix.bsd:18622 comp.os.386bsd.bugs:3115 comp.protocols.tcp-ip:27506
Newsgroups: comp.bugs.4bsd,comp.unix.bsd,comp.os.386bsd.bugs,comp.protocols.tcp-ip
Path: princeton!gw1.att.com!csn!boulder!agate!howland.reston.ans.net!news.sprintlink.net!uunet!fonorola!infoshare!whome!gts!westonia!reptiles.org!nobody
From: Ollivier Robert <Ollivier.Robert@hsc.fr.net>
Subject: BUG in 4.4 raw_ip.c (fwd)
In-Reply-To: <3ht7f9$5v5@ra.nrl.navy.mil>
To: freebsd-hackers@FreeBSD.org
Message-Id: <199502151713.SAA06581@sidhe.hsc-sec.fr>
Reply-To: roberto@hsc.fr.net (Ollivier Robert)
Organization: Herve Schauer Consultants, Paris, France
Distribution: reptiles
Date: Wed, 15 Feb 1995 17:13:29 GMT
Approved: news@reptiles.org (USENET News)
X-From: freefall.cdrom.com!owner-freebsd-hackers Wed Feb 15 12:42:48 1995
Lines: 126
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

Found in comp.os.386bsd.bugs. Don't know if it's fixed in FreeBSD or not.

------- start of forwarded message -------
From: danmcd@sundance.itd.nrl.navy.mil (Dan McDonald)
Newsgroups: comp.bugs.4bsd,comp.unix.bsd,comp.os.386bsd.bugs,comp.protocols.tcp-ip
Subject: BUG in 4.4 raw_ip.c
Date: 15 Feb 1995 15:43:37 GMT
Organization: Information Technology Division, Naval Research Laboratory


There is an obscure bug in 4.4 BSD (including 4.4-Lite) which affect raw
sockets that are bound to an address.

The fix is all of two characters, which inverts two tests in raw_ip.c.  The
following is a context diff:

=====================(Cut up to and including here.)======================
armitage(sys/netinet)[0]% diff -c raw_ip.c /usr/src/sys/netinet/raw_ip.c
*** raw_ip.c    Wed Feb 15 07:28:07 1995
--- /usr/src/sys/netinet/raw_ip.c       Fri Dec 16 13:10:14 1994
***************
*** 93,102 ****
                if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != ip->ip_p)
                        continue;
                if (inp->inp_laddr.s_addr &&
!                   inp->inp_laddr.s_addr != ip->ip_dst.s_addr)
                        continue;
                if (inp->inp_faddr.s_addr &&
!                   inp->inp_faddr.s_addr != ip->ip_src.s_addr)
                        continue;
                if (last) {
                        struct mbuf *n;
--- 93,102 ----
                if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != ip->ip_p)
                        continue;
                if (inp->inp_laddr.s_addr &&
!                   inp->inp_laddr.s_addr == ip->ip_dst.s_addr)
                        continue;
                if (inp->inp_faddr.s_addr &&
!                   inp->inp_faddr.s_addr == ip->ip_src.s_addr)
                        continue;
                if (last) {
                        struct mbuf *n;
=====================(Cut up to and including here.)======================


To determine if your system is affected by this bug, here is code to test
it.  (You will need to be root to run this...)

=====================(Cut up to and including here.)======================

/*
 * test.c  --  Silly program to test raw socket.  Run without an argument
 *             to send.  Run with an argument to receive.
 *
 *             Daniel L. McDonald - U. S. Naval Research Laboratory
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>

main(int argc)

{
  int s;

  s = socket(PF_INET,SOCK_RAW,69);   /* 69, AFAIK, is not an
					assigned protocol. */

  if (s == -1)
    {
      perror("socket");
      exit(1);
    }

  printf("argc = %d\n",argc);

  if (argc > 1)
    {
      char *buf="Hello";
      struct sockaddr_in dst = {AF_INET};
      int rc;

      dst.sin_addr.s_addr = htonl(0x7f000001);  /* send it over loopback. */
      rc = connect(s,&dst,sizeof(struct sockaddr_in));
      if (rc == -1)
        perror("connect");
      else if ((rc = send(s,buf,strlen(buf)+1,0)) == -1)
        perror("send");
      else printf("%d bytes sent.\n",rc);
    }
  else
    {
      char buf[30];
      struct sockaddr_in src={AF_INET,0, htonl(0x7f000001)};
      int srclen,rc;

      bzero(buf,10);

      rc=bind(s,&src,sizeof(struct sockaddr_in));
      if (rc == -1)
        perror("bind");
      else if ((rc=recvfrom(s,buf,30,0,&src,&srclen)) != -1)
         printf("Got '%s' (%d bytes total) from %s, srclen %d\n",buf+20,rc,
              inet_ntoa(src.sin_addr),srclen);
      else perror("recvfrom");
    }
}
=====================(Cut up to and including here.)======================

A few people had been notified of this earlier.  I apologize for not
informing everyone sooner.

Enjoy!
-- 
Daniel L. McDonald | Mail:  danmcd@itd.nrl.navy.mil -------------------------+
Computer Scientist | WWW:   http://wintermute.itd.nrl.navy.mil/danmcd.html   |
Naval Research Lab | Phone: (202) 404-7122        #include <disclaimer.h>    |
Washington, DC     | "Rise from the ashes, A blaze of everyday glory" - Rush +
------- end of forwarded message -------

-- 
Ollivier ROBERT  -=-=-  Hervi Schauer Consultants -=-=-   roberto@hsc.fr.net
-=-=-=-=-=- Support The Free UNIX Systems ! FreeBSD NetBSD Linux -=-=-=-=-=-