Date: Sun, 14 Jul 2002 20:02:36 +0200 (CEST) From: Jean-Luc Richier <Jean-Luc.Richier@imag.fr> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Jean-Luc Richier <Jean-Luc.Richier@imag.fr> Subject: kern/40563: gif driver can clobber route/arp table Message-ID: <200207141802.g6EI2aUq093340@luna.imag.fr>
next in thread | raw e-mail | index | archive | help
>Number: 40563 >Category: kern >Synopsis: gif driver can clobber route/arp table >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 14 11:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jean-Luc Richier >Release: FreeBSD 4.6-RELEASE i386 >Organization: LSR-IMAG Grenoble, France >Environment: System: FreeBSD luna.imag.fr 4.6-RELEASE FreeBSD 4.6-RELEASE #6: Wed Jun 12 18:55:37 GMT 2002 richier@luna.imag.fr:/usr/src/sys/compile/VLAN i386 also FreeBSD current (June, 24 2002) and KAME FreeBSD (kame-20020708-freebsd46-snap.tgz) >Description: If the destination of an IPv4 tunnel (gif interface) is changed between IPv4 and IPv6 adresses, incorrect information are set in the kernel/route table >How-To-Repeat: Consider the folling script (GIF) PATH="/sbin:/usr/sbin:$PATH" export PATH ifn=gif1 eval `ifconfig | awk ' ($1 == "inet" && !inet) { inet = $2 } ($1 == "inet6" && !inet6 && $2 ~ /^[23].*[^:]$/) { inet6 = $2 } END { t = 0; if (inet ~ /0$/) t = 1 dst = inet; sub(/.$/, t, dst) t = 0; if (inet6 ~ /0$/) t = 1 dst6 = inet6; sub(/.$/, t, dst6) print "inet=" inet; print "dst=" dst print "inets=" inet6; print "dsts=" dst6 }'` ifconfig $ifn unplumb >/dev/null 2>&1 set -x ifconfig $ifn create gifconfig $ifn inet6 $inets $dsts ifconfig $ifn inet6 add 5000:1::1/128 5000:2::1 : Can be long ping6 -c 1 5000:2::1 : Can be long ping -c 1 $dst gifconfig $ifn $inet $dst : Can be long ping6 -c 1 5000:2::1 : If error there will be two entries for $dst arp -an sh GIF + : If error there will be two entries for 129.88.38.10 + arp -an ? (129.88.38.1) at 00:03:ba:00:d5:0f on dc0 [ethernet] ? (129.88.38.10) at 08:00:20:82:e1:a9 on dc0 [ethernet] ? (129.88.38.10) at (incomplete) on dc0 [ethernet >Fix: There is a missing bzero in in_gif.c - If the cached route for the destination adress of the tunnel is changed, some of the fields are modified to for the new route. But if the change is from an IPv6 address to an IPv4 adress, all the IPv4 fields are not correct : the sin_zero port of the sockaddr_in struct is not cleared, and therefore arp lokkup will fails (as une match in route is done and the 16 bytes of the sockaddr) This bug is not in in6_gif.c (the bzero of the route cache is done) To correct: --- /sys/netinet/in_gif.c.DIST Sun Apr 28 07:40:26 2002 +++ /sys/netinet/in_gif.c Thu May 23 17:21:49 2002 @@ -167,6 +167,7 @@ if (dst->sin_family != sin_dst->sin_family || dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) { /* cache route doesn't match */ + bzero(dst, sizeof(*dst)); dst->sin_family = sin_dst->sin_family; dst->sin_len = sizeof(struct sockaddr_in); dst->sin_addr = sin_dst->sin_addr; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207141802.g6EI2aUq093340>