From owner-freebsd-bugs@FreeBSD.ORG  Wed Aug 17 20:30:20 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7ECFD16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 17 Aug 2005 20:30:20 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 123F243D46
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 17 Aug 2005 20:30:20 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7HKUJWh076648
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 17 Aug 2005 20:30:19 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7HKUJBg076647;
	Wed, 17 Aug 2005 20:30:19 GMT (envelope-from gnats)
Resent-Date: Wed, 17 Aug 2005 20:30:19 GMT
Resent-Message-Id: <200508172030.j7HKUJBg076647@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dmitrij Tejblum <tejblum@yandex-team.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB1B416A41F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 17 Aug 2005 20:22:56 +0000 (GMT)
	(envelope-from tejblum@yt64.yandex.ru)
Received: from yt64.yandex.ru (yt64.yandex.ru [213.180.209.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F14F243D46
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 17 Aug 2005 20:22:55 +0000 (GMT)
	(envelope-from tejblum@yt64.yandex.ru)
Received: from yt64.yandex.ru (localhost [127.0.0.1])
	by yt64.yandex.ru (8.13.3/8.13.3) with ESMTP id j7HKQ6jo070976
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 18 Aug 2005 00:26:06 +0400 (MSD)
	(envelope-from tejblum@yt64.yandex.ru)
Received: (from tejblum@localhost)
	by yt64.yandex.ru (8.13.3/8.13.3/Submit) id j7HKQ5JX070975;
	Thu, 18 Aug 2005 00:26:05 +0400 (MSD) (envelope-from tejblum)
Message-Id: <200508172026.j7HKQ5JX070975@yt64.yandex.ru>
Date: Thu, 18 Aug 2005 00:26:05 +0400 (MSD)
From: Dmitrij Tejblum <tejblum@yandex-team.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/85052: [patch] ip_fastforward.c mishandle broadcast packets
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dmitrij Tejblum <tejblum@yandex-team.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2005 20:30:20 -0000


>Number:         85052
>Category:       kern
>Synopsis:       [patch] ip_fastforward.c mishandle broadcast packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 17 20:30:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dmitrij Tejblum
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
OOO Yandex
>Environment:

Network with several routers with fastforwarding enabled.

>Description:

Fastforwarding may forward broadcast packets under some circumstances. It
does not appear to be useful. Comments in this file suggest that it is not
intended. It looks like ip_forward() (in ip_input.c) does not forward packets
with M_BCAST.


>How-To-Repeat:

On a router with fastforwarding enabled:

ifconfig vlanNNN create
ifconfig vlanNNN vlandev em0 vlan NNN
ifconfig vlanNNN up #note: no IP address assigned

Now, suppose we have the network 10.20.30.0/24 in vlan NNN. Broadcast packet 
to 10.20.30.255, received by the router, will be forwarded to the vlan NNN
(via other routers). I.e. we have a loop. Moreover, since M_BCAST is not
cleared, the packet is forwarded as a broadcast, and it result in a
broadcast storm.

>Fix:

Index: ip_fastfwd.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fastfwd.c,v
retrieving revision 1.17.2.7
diff -u -r1.17.2.7 ip_fastfwd.c
--- ip_fastfwd.c	31 Mar 2005 17:03:45 -0000	1.17.2.7
+++ ip_fastfwd.c	17 Aug 2005 10:41:21 -0000
@@ -157,8 +157,6 @@
 	struct mbuf *m0 = NULL;
 	struct route ro;
 	struct sockaddr_in *dst = NULL;
-	struct in_ifaddr *ia = NULL;
-	struct ifaddr *ifa = NULL;
 	struct ifnet *ifp;
 	struct in_addr odest, dest;
 	u_short sum, ip_len;
@@ -324,21 +322,10 @@
 		return 0;
 
 	/*
-	 * Or is it for a local IP broadcast address on this host?
+	 * No L2 broadcast or multicast.
 	 */
-	if ((m->m_flags & M_BCAST) &&
-	    (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST)) {
-	        TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
-			if (ifa->ifa_addr->sa_family != AF_INET)
-				continue;
-			ia = ifatoia(ifa);
-			if (ia->ia_netbroadcast.s_addr == ip->ip_dst.s_addr)
-				return 0;
-			if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
-			    ip->ip_dst.s_addr)
-				return 0;
-		}
-	}
+	if (m->m_flags & (M_BCAST|M_MCAST))
+		return 0;
 	ipstat.ips_total++;
 
 	/*


>Release-Note:
>Audit-Trail:
>Unformatted: