Date: Sun, 14 Jul 2002 20:02:36 +0200 (CEST) From: Jean-Luc Richier <Jean-Luc.Richier@imag.fr> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Jean-Luc Richier <Jean-Luc.Richier@imag.fr> Subject: kern/40563: gif driver can clobber route/arp table Message-ID: <200207141802.g6EI2aUq093340@luna.imag.fr>
next in thread | raw e-mail | index | archive | help
>Number: 40563
>Category: kern
>Synopsis: gif driver can clobber route/arp table
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 14 11:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Jean-Luc Richier
>Release: FreeBSD 4.6-RELEASE i386
>Organization:
LSR-IMAG Grenoble, France
>Environment:
System: FreeBSD luna.imag.fr 4.6-RELEASE FreeBSD 4.6-RELEASE #6: Wed Jun 12 18:55:37 GMT 2002 richier@luna.imag.fr:/usr/src/sys/compile/VLAN i386
also FreeBSD current (June, 24 2002)
and KAME FreeBSD (kame-20020708-freebsd46-snap.tgz)
>Description:
If the destination of an IPv4 tunnel (gif interface) is changed
between IPv4 and IPv6 adresses, incorrect information are set in the
kernel/route table
>How-To-Repeat:
Consider the folling script (GIF)
PATH="/sbin:/usr/sbin:$PATH"
export PATH
ifn=gif1
eval `ifconfig | awk '
($1 == "inet" && !inet) { inet = $2 }
($1 == "inet6" && !inet6 && $2 ~ /^[23].*[^:]$/) { inet6 = $2 }
END { t = 0; if (inet ~ /0$/) t = 1
dst = inet; sub(/.$/, t, dst)
t = 0; if (inet6 ~ /0$/) t = 1
dst6 = inet6; sub(/.$/, t, dst6)
print "inet=" inet; print "dst=" dst
print "inets=" inet6; print "dsts=" dst6 }'`
ifconfig $ifn unplumb >/dev/null 2>&1
set -x
ifconfig $ifn create
gifconfig $ifn inet6 $inets $dsts
ifconfig $ifn inet6 add 5000:1::1/128 5000:2::1
: Can be long
ping6 -c 1 5000:2::1
: Can be long
ping -c 1 $dst
gifconfig $ifn $inet $dst
: Can be long
ping6 -c 1 5000:2::1
: If error there will be two entries for $dst
arp -an
sh GIF
+ : If error there will be two entries for 129.88.38.10
+ arp -an
? (129.88.38.1) at 00:03:ba:00:d5:0f on dc0 [ethernet]
? (129.88.38.10) at 08:00:20:82:e1:a9 on dc0 [ethernet]
? (129.88.38.10) at (incomplete) on dc0 [ethernet
>Fix:
There is a missing bzero in in_gif.c - If the cached route for the
destination adress of the tunnel is changed, some of the fields are
modified to for the new route. But if the change is from an IPv6
address to an IPv4 adress, all the IPv4 fields are not correct :
the sin_zero port of the sockaddr_in struct is not cleared,
and therefore arp lokkup will fails (as une match in route is done
and the 16 bytes of the sockaddr)
This bug is not in in6_gif.c (the bzero of the route cache is done)
To correct:
--- /sys/netinet/in_gif.c.DIST Sun Apr 28 07:40:26 2002
+++ /sys/netinet/in_gif.c Thu May 23 17:21:49 2002
@@ -167,6 +167,7 @@
if (dst->sin_family != sin_dst->sin_family ||
dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) {
/* cache route doesn't match */
+ bzero(dst, sizeof(*dst));
dst->sin_family = sin_dst->sin_family;
dst->sin_len = sizeof(struct sockaddr_in);
dst->sin_addr = sin_dst->sin_addr;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207141802.g6EI2aUq093340>