From owner-freebsd-bugs Wed Jun 21 23:53:53 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from king.ukrnet.net (king.ukrnet.net [212.26.128.2]) by hub.freebsd.org (Postfix) with ESMTP id 99EB437B837 for ; Wed, 21 Jun 2000 23:53:36 -0700 (PDT) (envelope-from gnut@fc.kiev.ua) Received: from blend.fc.kiev.ua (blend.fc.kiev.ua [212.26.129.73]) by king.ukrnet.net (8.10.2/8.10.0) with ESMTP id e5M6qko27030; Thu, 22 Jun 2000 09:52:48 +0300 Received: from GNUT ([212.26.129.66]) by blend.fc.kiev.ua (8.9.3/8.9.2) with ESMTP id JAA32909; Thu, 22 Jun 2000 09:52:41 +0300 (EEST) (envelope-from gnut@fc.kiev.ua) Date: Thu, 22 Jun 2000 09:52:35 +0400 From: "Oles' Hnatkevych" X-Mailer: The Bat! (v1.41) UNREG / CD5BF9353B3B7091 Reply-To: "Oles' Hnatkevych" Organization: Finance & Credit Banking Corporation X-Priority: 2 (High) Message-ID: <13411.000622@fc.kiev.ua> To: freebsd-bugs@freebsd.org Cc: brian@Awfulhak.org Subject: bug in PPP code Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! PPP code does not properly handle the information about interfaces, resulting in routing lost to some peers and complaining about inability to delete address from interface (though it does not belong to that interface). Some of you may have seen me in freebsd-questions complaining about "Warning" that issued PPP telling that can not removed address from interface. Finally the bug in PPP source code was found. The bug is difficult to spot because not many of you use more than 10 tunnel devices simultaneously. The bug is in iface.c: look at the lines below and check out the quoted line while (ptr < end && iface == NULL) { ifm = (struct if_msghdr *)ptr; /* On if_msghdr */ if (ifm->ifm_type != RTM_IFINFO) break; dl = (struct sockaddr_dl *)(ifm + 1); /* Single _dl at end */ >> if (!strncmp(name, dl->sdl_data, dl->sdl_nlen)) { iface = (struct iface *)malloc(sizeof *iface); if (iface == NULL) { fprintf(stderr, "iface_Create: malloc: %s\n", strerror(errno)); return NULL; } Suppose the tun30 has been chosen and in the loop we've received the information about tun3. The strncmp function WILL return 0, because tun3 = tun30, comparing just first 4 characters, which is the length of "tun3" (dl->sdl_nlen). The result of this that internal PPP structure that contains information about interface at the beginning has wrong data about it's current addresses (in example tun3 address). And again, the route to this address is removed from routing table, but kernel can not delete this address from interface cause it does not belong to it. We've removed the letter 'n' from the function name and it's last argument and are now happy ;) I believe that strncmp may cause some other errors, since it is used serveral times in the PPP source code, and I'm not bothering to find out if it is used properly. With best wishes, Oles' Hnatkevych, http://gnut.kiev.ua, gnut@fc.kiev.ua Finance & Credit Banking Corporation, Kyiv, Ukraine. Industrialnaya str. 27 +380 44 2417190 Artema str. 60, +380 44 4906877 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message