From owner-freebsd-bugs Sun Jul 14 11:10:13 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47FC937B401 for ; Sun, 14 Jul 2002 11:10:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DCD443E65 for ; Sun, 14 Jul 2002 11:10:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6EIA1JU080436 for ; Sun, 14 Jul 2002 11:10:01 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6EIA1lH080435; Sun, 14 Jul 2002 11:10:01 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C50237B400 for ; Sun, 14 Jul 2002 11:04:15 -0700 (PDT) Received: from imag.imag.fr (imag.imag.fr [129.88.30.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39A2243E6D for ; Sun, 14 Jul 2002 11:04:14 -0700 (PDT) (envelope-from Jean-Luc.Richier@imag.fr) Received: from horus.imag.fr (horus.imag.fr [129.88.38.1]) by imag.imag.fr (8.11.6/8.11.6) with ESMTP id g6EI4DS13493 for ; Sun, 14 Jul 2002 20:04:13 +0200 (MEST) Received: (from richier@localhost) by horus.imag.fr (8.11.6/8.11.6/Imag.pm.V2) id g6EI4Ct17930 for FreeBSD-gnats-submit@freebsd.org; Sun, 14 Jul 2002 20:04:12 +0200 (MEST) Received: from imag.imag.fr (imag.imag.fr [129.88.30.1]) by horus.imag.fr (8.11.6/8.11.6/Imag.pm.V2) with ESMTP id g6EI3qg17917 for ; Sun, 14 Jul 2002 20:03:52 +0200 (MEST) Received: from luna.imag.fr (luna.imag.fr [129.88.26.80]) by imag.imag.fr (8.11.6/8.11.6) with ESMTP id g6EI3qS13486 for ; Sun, 14 Jul 2002 20:03:52 +0200 (MEST) Received: from luna.imag.fr (localhost [127.0.0.1]) by luna.imag.fr (8.12.3/8.12.3) with ESMTP id g6EI2aIN093341; Sun, 14 Jul 2002 20:02:36 +0200 (CEST) (envelope-from richier@horus.imag.fr) Received: (from root@localhost) by luna.imag.fr (8.12.3/8.12.3/Submit) id g6EI2aUq093340; Sun, 14 Jul 2002 20:02:36 +0200 (CEST) (envelope-from richier) Message-Id: <200207141802.g6EI2aUq093340@luna.imag.fr> Date: Sun, 14 Jul 2002 20:02:36 +0200 (CEST) From: Jean-Luc Richier Reply-To: Jean-Luc Richier To: FreeBSD-gnats-submit@FreeBSD.org Cc: Jean-Luc Richier X-Send-Pr-Version: 3.113 Subject: kern/40563: gif driver can clobber route/arp table Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 40563 >Category: kern >Synopsis: gif driver can clobber route/arp table >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 14 11:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jean-Luc Richier >Release: FreeBSD 4.6-RELEASE i386 >Organization: LSR-IMAG Grenoble, France >Environment: System: FreeBSD luna.imag.fr 4.6-RELEASE FreeBSD 4.6-RELEASE #6: Wed Jun 12 18:55:37 GMT 2002 richier@luna.imag.fr:/usr/src/sys/compile/VLAN i386 also FreeBSD current (June, 24 2002) and KAME FreeBSD (kame-20020708-freebsd46-snap.tgz) >Description: If the destination of an IPv4 tunnel (gif interface) is changed between IPv4 and IPv6 adresses, incorrect information are set in the kernel/route table >How-To-Repeat: Consider the folling script (GIF) PATH="/sbin:/usr/sbin:$PATH" export PATH ifn=gif1 eval `ifconfig | awk ' ($1 == "inet" && !inet) { inet = $2 } ($1 == "inet6" && !inet6 && $2 ~ /^[23].*[^:]$/) { inet6 = $2 } END { t = 0; if (inet ~ /0$/) t = 1 dst = inet; sub(/.$/, t, dst) t = 0; if (inet6 ~ /0$/) t = 1 dst6 = inet6; sub(/.$/, t, dst6) print "inet=" inet; print "dst=" dst print "inets=" inet6; print "dsts=" dst6 }'` ifconfig $ifn unplumb >/dev/null 2>&1 set -x ifconfig $ifn create gifconfig $ifn inet6 $inets $dsts ifconfig $ifn inet6 add 5000:1::1/128 5000:2::1 : Can be long ping6 -c 1 5000:2::1 : Can be long ping -c 1 $dst gifconfig $ifn $inet $dst : Can be long ping6 -c 1 5000:2::1 : If error there will be two entries for $dst arp -an sh GIF + : If error there will be two entries for 129.88.38.10 + arp -an ? (129.88.38.1) at 00:03:ba:00:d5:0f on dc0 [ethernet] ? (129.88.38.10) at 08:00:20:82:e1:a9 on dc0 [ethernet] ? (129.88.38.10) at (incomplete) on dc0 [ethernet >Fix: There is a missing bzero in in_gif.c - If the cached route for the destination adress of the tunnel is changed, some of the fields are modified to for the new route. But if the change is from an IPv6 address to an IPv4 adress, all the IPv4 fields are not correct : the sin_zero port of the sockaddr_in struct is not cleared, and therefore arp lokkup will fails (as une match in route is done and the 16 bytes of the sockaddr) This bug is not in in6_gif.c (the bzero of the route cache is done) To correct: --- /sys/netinet/in_gif.c.DIST Sun Apr 28 07:40:26 2002 +++ /sys/netinet/in_gif.c Thu May 23 17:21:49 2002 @@ -167,6 +167,7 @@ if (dst->sin_family != sin_dst->sin_family || dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) { /* cache route doesn't match */ + bzero(dst, sizeof(*dst)); dst->sin_family = sin_dst->sin_family; dst->sin_len = sizeof(struct sockaddr_in); dst->sin_addr = sin_dst->sin_addr; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message