Date: Mon, 23 Feb 2009 11:52:47 +0100 From: =?ISO-8859-1?Q?david_gu=E9luy?= <david.gueluy@netasq.com> To: freebsd-net@freebsd.org Subject: bad usage of the shutdown system call produce a packet with null ip addresses Message-ID: <F51842F3-0D80-4B2C-9D49-A81099A258F5@netasq.com>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-41--618870436
Content-Type: text/plain;
charset=ISO-8859-1;
format=flowed;
delsp=yes
Content-Transfer-Encoding: quoted-printable
Hi,
By using a PFIL_HOOK on FreeBSD 7.1-prerelease, I notice that I =20
receive some packets from 0.0.0.0 to 0.0.0.0.
A buggy program in userland produce these packets when the shutdown =20
system call is used on
a socket which is not connected.
Even if it's a bad usage of a system call, this case can produce =20
strange behaviours, I think
it's necessary to add some checks in tcp_usr_shutdown.
Here is a short sample to reproduce that case :
test.c
#include <sys/socket.h>
#include <stdio.h>
int main(void)
{
int fd;
fd =3D socket(AF_INET, SOCK_STREAM, 0);
if (fd =3D=3D -1)
return 1;
shutdown(fd, SHUT_RDWR);
close(fd);
return 0;
}
Add some debug in the kernel
[usr/src/sys/netinet]# diff -C4 ip_output.c.origin ip_output.c
*** ip_output.c.origin Mon Feb 23 10:27:52 2009
--- ip_output.c Fri Feb 20 15:23:39 2009
***************
*** 135,142 ****
--- 135,151 ----
hlen =3D len;
}
ip =3D mtod(m, struct ip *);
+ #define PRINTIP(a) printf("%u.%u.%u.%u", =20
(unsigned)ntohl(a)>>24&0xFF, (unsigned)ntohl(a)>>16&0xFF, =20
(unsigned)ntohl(a)>>8&0xFF, (unsigned)ntohl(a)&0xFF)
+
+ if (m->m_pkthdr.rcvif !=3D NULL)
+ printf(" if %s ", m->m_pkthdr.rcvif->if_xname);
+ printf(" proto %d src ", (int)ip->ip_p); PRINTIP(ip-=20
>ip_src.s_addr);
+ printf(" dst "); PRINTIP(ip->ip_dst.s_addr);
+ printf(" ttl %u\n", (unsigned)ip->ip_ttl);
+
+
./test
proto 6 src 0.0.0.0 dst 0.0.0.0 ttl 64
Best regards,
Gu=E9luy David
--Apple-Mail-41--618870436--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F51842F3-0D80-4B2C-9D49-A81099A258F5>