From owner-freebsd-bugs@FreeBSD.ORG Tue Sep 7 09:20:25 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18CD016A4CE for ; Tue, 7 Sep 2004 09:20:25 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F39DC43D2F for ; Tue, 7 Sep 2004 09:20:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i879KOO4082298 for ; Tue, 7 Sep 2004 09:20:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i879KOOj082297; Tue, 7 Sep 2004 09:20:24 GMT (envelope-from gnats) Resent-Date: Tue, 7 Sep 2004 09:20:24 GMT Resent-Message-Id: <200409070920.i879KOOj082297@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthias Andree Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB7D616A4CE; Tue, 7 Sep 2004 09:14:42 +0000 (GMT) Received: from unimail.uni-dortmund.de (mx1.HRZ.Uni-Dortmund.DE [129.217.128.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3580843D5A; Tue, 7 Sep 2004 09:14:42 +0000 (GMT) (envelope-from matthias.andree@web.de) Received: from m2a2.myip.org (tuirldiamg29ktmj@pD9E1E0CF.dip.t-dialin.net [217.225.224.207]) (authenticated bits=0)i879EVHD009636; Tue, 7 Sep 2004 11:14:37 +0200 (CEST) Received: by merlin.emma.line.org (Postfix, from userid 1001) id 47CD81B20D; Tue, 7 Sep 2004 11:14:30 +0200 (CEST) Message-Id: <20040907091430.47CD81B20D@merlin.emma.line.org> Date: Tue, 7 Sep 2004 11:14:30 +0200 (CEST) From: Matthias Andree To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: re@FreeBSD.org Subject: bin/71453: tcpdump segfaults on PPP IPV6CP traffic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 09:20:25 -0000 >Number: 71453 >Category: bin >Synopsis: tcpdump segfaults on PPP IPV6CP traffic >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 07 09:20:24 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 5.3-BETA3 i386 >Organization: >Environment: System: FreeBSD merlin.emma.line.org 5.3-BETA3 FreeBSD 5.3-BETA3 #7: Mon Sep 6 12:28:24 CEST 2004 toor@merlin.emma.line.org:/usr/src/sys/i386/compile/MA5 i386 >Description: tcpdump aborts with a SIGSEGV when it sees PPP IPv6CP traffic. The "crash" portion of this bug has apparently been fixed in tcpdump.org's CVS as of July 13th, 2004, but it appears the upstream tcpdump still has no IPv6CP support. Relevant excerpt from post-mortem stacktrace: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. ... This GDB was configured as "i386-marcel-freebsd"... Core was generated by `tcpdump'. Program terminated with signal 11, Segmentation fault. ... #0 0x00000000 in ?? () (gdb) bt full #0 0x00000000 in ?? () No symbol table info available. #1 0x0807022c in handle_ctrl_proto (proto=32855, pptr=0x81892b0 "\001\001", length=14) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:447 typestr = 0x80cb8e0 "unknown" code = 10 len = 14 pfunc = (int (*)(const u_char *, int)) 0 x = 10 j = 0 tptr = ( const u_char *) 0x81892b4 "\001\n\002`\227ÿþ¼ÅôV(Üv=AÅ\222\016" #2 0x08071587 in handle_ppp (proto=0, p=0x81892b0 "\001\001", length=14) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1064 No locals. #3 0x08071740 in ppp_print (p=0x81892b0 "\001\001", length=14) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-ppp.c:1146 proto = 32855 olen = 16 hdr_len = 2 #4 0x08071c8d in pppoe_print (bp=0x81892a8 "\021", length=22) at /usr/src/usr.sbin/tcpdump/tcpdump/../../../contrib/tcpdump/print-pppoe.c:212 pppoe_ver = 37556 pppoe_type = 1 pppoe_code = 0 pppoe_sessionid = 696 pppoe_length = 16 pppoe_packet = (const u_char *) 0xe
pppoe_payload = (const u_char *) 0x81892ae "\200W\001\001" >How-To-Repeat: 1. Configure a PPPoE link via a certain interface, say xl1 but do not yet run ppp 2. Attach tcpdump -vns2000 -ixl1 (use the same interface for -i as in #1) 3. run ppp to start this link tcpdump crashes as ppp tries to negotiate IPv6. >Fix: 1. tcpdump acts outright stupid in print-ppp.c ll. 425ff by setting pfunc=NULL and then dereferencing it in a function call. Please consider importing http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-ppp.c?r1=1.89.2.3&r2=1.89.2.4 2. add a proper print_ipv6cp_config_options function (upstream issue) >Release-Note: >Audit-Trail: >Unformatted: