Date: Wed, 28 Aug 2002 04:18:48 -0700 (PDT) From: Praveen Khurjekar <praveen@codito.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/42121: IP timestamp options processing Message-ID: <200208281118.g7SBImkF022694@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 42121 >Category: misc >Synopsis: IP timestamp options processing >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 28 04:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Praveen Khurjekar >Release: 4.5 >Organization: Codito Technologies >Environment: FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386 >Description: Bug in IP options processing (timestamp with address ,timestamp with prespecified address) The stack doesnt seem to modify the IP header properly while processing packets with timestamp with address (IOPT_TS_TSANDADDR) and timestamp with prespecified address (IOPT_TS_PRESPEC) options. the address of the system whose time stamp is to be recorded is being overwritten by the timestamp of the system in both the cases. in the following ping outputs the timestamp of 192.168.1.174 (freebsd box) is written where its system address should have been written.timestamp remains zero. [root@saturn root]# ping -c 2 -T tsandaddr 192.168.1.174 PING 192.168.1.174 (192.168.1.174) from 192.168.1.59 : 56(124) bytes of data. 64 bytes from 192.168.1.174: icmp_seq=0 ttl=64 time=36.125 msec TS: 192.168.1.59 38510053 absolute 0.153.188.112 -38510053 192.168.1.59 38510099 absolute Warning: time of day goes back, taking countermeasures. 64 bytes from 192.168.1.174: icmp_seq=1 ttl=64 time=5.180 msec TS: 192.168.1.59 38511049 absolute 0.153.192.78 -38511049 192.168.1.59 38511054 absolute --- 192.168.1.174 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/mdev = 5.180/20.652/36.125/15.473 ms [root@saturn root]# ping -c 2 -T tsprespec 192.168.1.174 192.168.1.174 PING 192.168.1.174 (192.168.1.174) from 192.168.1.59 : 56(124) bytes of data. Warning: time of day goes back, taking countermeasures. 64 bytes from 192.168.1.174: icmp_seq=0 ttl=64 time=4.672 msec TS: 0.159.112.67 0 absolute Unrecorded hops: 1 64 bytes from 192.168.1.174: icmp_seq=1 ttl=64 time=3.241 msec TS: 0.159.116.43 0 absolute Unrecorded hops: 1 --- 192.168.1.174 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/mdev = 3.241/3.956/4.672/0.718 ms >How-To-Repeat: ping freebsd host with timestamp options >Fix: I think this could be corrected by increasing off by sizeof(struct in_addr) in funtion ip_dooptions while processing IOPT_TS_TSANDADDR , IPOT_TS_PRESPEC the following code is from freebsd 4.6 source case IPOPT_TS: #ifdef IPSTEALTH if (ipstealth && pass == 0) break; #endif code = cp - (u_char *)ip; if (optlen < 4 || optlen > 40) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } if ((off = cp[IPOPT_OFFSET]) < 5) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } if (off > optlen - (int)sizeof(int32_t)) { cp[IPOPT_OFFSET + 1] += (1 << 4); if ((cp[IPOPT_OFFSET + 1] & 0xf0) == 0) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; } break; } off--; /* 0 origin */ sin = (struct in_addr *)(cp + off); switch (cp[IPOPT_OFFSET + 1] & 0x0f) { case IPOPT_TS_TSONLY: break; case IPOPT_TS_TSANDADDR: if (off + sizeof(n_time) + sizeof(struct in_addr) > optlen) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; } ipaddr.sin_addr = dst; ia = (INA)ifaof_ifpforaddr((SA)&ipaddr, m->m_pkthdr.rcvif); if (ia == 0) continue; (void)memcpy(sin, &IA_SIN(ia)->sin_addr, sizeof(struct in_addr)); cp[IPOPT_OFFSET] += sizeof(struct in_addr); change -----------> off += sizeof(struct in_addr); break; case IPOPT_TS_PRESPEC: if (off + sizeof(n_time) + sizeof(struct in_addr) > optlen) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; } (void)memcpy(&ipaddr.sin_addr, sin, sizeof(struct in_addr)); if (ifa_ifwithaddr((SA)&ipaddr) == 0) continue; cp[IPOPT_OFFSET] += sizeof(struct in_addr); change -----------> off += sizeof(struct in_addr); break; default: code = &cp[IPOPT_OFFSET + 1] - (u_char *)ip; goto bad; } ntime = iptime(); (void)memcpy(cp + off, &ntime, sizeof(n_time)); cp[IPOPT_OFFSET] += sizeof(n_time); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208281118.g7SBImkF022694>