From owner-freebsd-net  Mon Sep 18  7: 4:41 2000
Delivered-To: freebsd-net@freebsd.org
Received: from urban.iinet.net.au (urban.iinet.net.au [203.59.24.231])
	by hub.freebsd.org (Postfix) with ESMTP id C0D4A37B422
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2000 07:04:35 -0700 (PDT)
Received: from jules.elischer.org (reggae-34-29.nv.iinet.net.au [203.59.167.29])
	by urban.iinet.net.au (8.8.7/8.8.7) with SMTP id WAA20236;
	Mon, 18 Sep 2000 22:04:13 +0800
Message-ID: <39C620D3.167EB0E7@elischer.org>
Date: Mon, 18 Sep 2000 07:04:03 -0700
From: Julian Elischer <julian@elischer.org>
X-Mailer: Mozilla 3.04Gold (X11; I; FreeBSD 5.0-CURRENT i386)
MIME-Version: 1.0
To: Ben Schumacher <ben@henshaw.net>
Cc: freebsd-net@freebsd.org
Subject: Re: netgraph based MAC authentication (core dump information)
References: <5.0.0.25.2.20000913221340.00a04950@pop.henshaw.net>
	 <5.0.0.25.2.20000915183859.026c2310@pop.henshaw.net> <5.0.0.25.2.20000917182707.01c52a20@pop.henshaw.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

maybe someone can say what the trap address was...

BTW, next time set "set print pretty"
and "set radix 16"

Ben Schumacher wrote:
> 

> #9  0xc022c723 in trap (frame={
>        tf_fs = 16, tf_es = 16, tf_ds = 16,
>        tf_edi = -918835756,  tf_esi = -1065955662,
>        tf_ebp = -918835836,  tf_isp = -918835860, 
>        tf_ebx = -16369088,   tf_edx = 65534, 
>        tf_ecx = -1065955682, tf_eax = 0, 
>        tf_trapno = 12,       tf_err = 0, 
>        tf_eip = -1072107089, tf_cs = 8, 
>        tf_eflags = 66178,
>        tf_esp = -1065955840, tf_ss = -918835756})
>             at ../../i386/i386/trap.c:426


> #10 0xc018f1af in in_broadcast (in={s_addr = 4278598208}, ifp=0x0) at
> ../../netinet/in.c:736

looking at this I wonder if the problim is actually 2 lines 
further down at line 738. ifp is 0x00
and it is dereferenced there.


> #11 0xc019a446 in udp_input (m=0xc076ce00, off=20, proto=17) at
> ../../netinet/udp_usrreq.c:238
> #12 0xc01921e9 in ip_input (m=0xc076ce00) at ../../netinet/ip_input.c:738
> #13 0xc0192247 in ipintr () at ../../netinet/ip_input.c:766
> #14 0xc021fd65 in swi_net_next ()
> #15 0xc015d72d in sendit (p=0xc89c3260, s=4, mp=0xc93baf10, flags=0) at
> ../../kern/uipc_syscalls.c:520
> #16 0xc015d821 in sendto (p=0xc89c3260, uap=0xc93baf80) at
> ../../kern/uipc_syscalls.c:572
> #17 0xc022d195 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
> tf_edi = -1078004048, tf_esi = 671511360,
>        tf_ebp = -1078004024, tf_isp = -918835244, tf_ebx = 671511548,
> tf_edx = -1078003928, tf_ecx = -7,
>        tf_eax = 133, tf_trapno = 7, tf_err = 2, tf_eip = 671741624, tf_cs =
> 31, tf_eflags = 647,
>        tf_esp = -1078004116, tf_ss = 47}) at ../../i386/i386/trap.c:1126
> #18 0xc021e905 in Xint0x80_syscall ()
> #19 0x8048add in ?? ()
> #20 0x8048651 in ?? ()
> (kgdb) up 10
> #10 0xc018f1af in in_broadcast (in={s_addr = 4278598208}, ifp=0x0) at
> ../../netinet/in.c:736
> 736             if (in.s_addr == INADDR_BROADCAST ||
> (kgdb) list
> 731             struct ifnet *ifp;
> 732     {
> 733             register struct ifaddr *ifa;
> 734             u_long t;
> 735
> 736             if (in.s_addr == INADDR_BROADCAST ||
> 737                 in.s_addr == INADDR_ANY)
> 738                     return 1;
> 739             if ((ifp->if_flags & IFF_BROADCAST) == 0)
> 740                     return 0;
> (kgdb) print in
> $1 = {s_addr = 6422528}
> (kgdb) print in.s_addr
> $2 = 6422528
> (kgdb) up
> #11 0xc019a446 in udp_input (m=0xc076ce00, off=20, proto=17) at
> ../../netinet/udp_usrreq.c:238
> 238             if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
> (kgdb) up
> #12 0xc01921e9 in ip_input (m=0xc076ce00) at ../../netinet/ip_input.c:738
> 738             (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, off, nh);
> (kgdb) up
> #13 0xc0192247 in ipintr () at ../../netinet/ip_input.c:766
> 766                     ip_input(m);


Now, this is actually possible.
and in fact almost any UDP packet might cause this problem.

it seems that the packet you are reinjecting into the 
system does not include a pointer to theinterface it comes from,
and udp_input() is calling in_broadcast with this packet's ifp
pointer which is NULL.

try the following patch..

Index: ng_ether.c
===================================================================
RCS file: /home/ncvs/src/sys/netgraph/ng_ether.c,v
retrieving revision 1.9
diff -u -r1.9 ng_ether.c
--- ng_ether.c  2000/09/01 00:28:03     1.9
+++ ng_ether.c  2000/09/18 14:03:13
@@ -657,6 +657,7 @@
        m->m_data += sizeof(*eh);
        m->m_len -= sizeof(*eh);
        m->m_pkthdr.len -= sizeof(*eh);
+       m->m_pkthdr.rcvif = priv->ifp;
 
        /* Route packet back in */
        NG_FREE_META(meta);


-- 
      __--_|\  Julian Elischer
     /       \ julian@elischer.org
    (   OZ    ) World tour 2000
---> X_.---._/  presently in:  Perth
            v


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message