Date: Wed, 12 Dec 2001 21:22:24 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: Lars Eggert <larse@ISI.EDU> Cc: Mark A Gebert <geeb@thugsrus.org>, freebsd-net@FreeBSD.ORG Subject: Re: Problems with mpd-netgraph and Stable Message-ID: <200112130522.fBD5MOD19095@arch20m.dellroad.org> In-Reply-To: <3C164FE7.2010001@isi.edu> "from Lars Eggert at Dec 11, 2001 10:26:47 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Lars Eggert writes: > > I'm trying to do pptp with mpd-netgraph and a stable kernel build from a > > day ago. Everytime I run it on my IBM T-20 laptop (with fxp interface), > > it negotiates the link and as it's ready to be used the laptop crashes: > > I've seen mpd crashes with Cisco VPN servers that are stupid enough to > advertise their own IP address to the client, causing an infinite > encapsulation loop (tunneled packets forwarded over the tunnel). > > You could catch that with a sanity check inside mpd (don't accept the > servers physical address for your own use during negotiation). I've not > done this, we simply returned the Cisco box :-) Mark, Please give the patch below a try. It should cause IPCP negotiation to fail, instead of succeeding and then crashing the kernel. FYI in theory we could support the peer's "inside the tunnel" IP address being the same as the "outside the tunnel" IP address but it would require some really ugly kernel hacks. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com Index: ipcp.c =================================================================== RCS file: /home/cvs/archie/mpd/src/ipcp.c,v retrieving revision 1.2 diff -u -r1.2 ipcp.c --- ipcp.c 2001/04/12 17:03:31 1.2 +++ ipcp.c 2001/12/13 05:21:21 @@ -19,6 +19,7 @@ #include "custom.h" #include "msg.h" #include "ngfunc.h" +#include "pptp.h" #include <netgraph.h> #include <sys/mbuf.h> @@ -607,7 +608,7 @@ switch (mode) { case MODE_REQ: if (!IpAddrInRange(&ipcp->conf.peer_allow, *ip) || !ip->s_addr) { - if (ipcp->peer_addr.s_addr == 0) +nak_ip: if (ipcp->peer_addr.s_addr == 0) Log(LG_IPCP, (" %s", "no IP address available for peer!")); if (Enabled(&ipcp->conf.options, IPCP_CONF_PRETENDIP)) { Log(LG_IPCP, (" pretending that %s is OK, will ignore", @@ -620,6 +621,17 @@ Log(LG_IPCP, (" NAKing with %s", inet_ntoa(*ip))); FsmNak(fp, opt); break; + } + if (bund->links[0]->phys->type == &gPptpPhysType) { + struct in_addr pip; + + lnk = bund->links[0]; + pip = PptpGetPeerIp(); + if (ip->s_addr == pip.s_addr) { + Log(LG_IPCP, + (" Same as PPTP IP; would cause routing loop")); + goto nak_ip; + } } Log(LG_IPCP, (" %s is OK", inet_ntoa(*ip))); ipcp->peer_addr = *ip; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112130522.fBD5MOD19095>