From owner-freebsd-bugs  Tue Jul 17 19:40: 8 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C172F37B403
	for <freebsd-bugs@hub.freebsd.org>; Tue, 17 Jul 2001 19:40:00 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f6I2e0541082;
	Tue, 17 Jul 2001 19:40:00 -0700 (PDT)
	(envelope-from gnats)
Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80])
	by hub.freebsd.org (Postfix) with ESMTP id 3816B37B403
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Jul 2001 19:33:12 -0700 (PDT)
	(envelope-from grog@lemis.com)
Received: by wantadilla.lemis.com (Postfix, from userid 1004)
	id DCF8A6ACBC; Wed, 18 Jul 2001 12:03:09 +0930 (CST)
Message-Id: <20010718023309.DCF8A6ACBC@wantadilla.lemis.com>
Date: Wed, 18 Jul 2001 12:03:09 +0930 (CST)
From: grog@lemis.com
Reply-To: grog@lemis.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/29054: bootp replies from multi-homed host have invalid source address
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         29054
>Category:       kern
>Synopsis:       bootp replies from multi-homed host have invalid source address
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 17 19:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Greg Lehey
>Release:        FreeBSD 4-STABLE
>Organization:
IBM Australia Ltd.
>Environment:

	Multi-homed FreeBSD box running 4-STABLE and bootparamd

>Description:

	A network boot from a multi-homed FreeBSD box fails because
	the bootp reply comes on the wrong address.  The system in
	question, echunga.lemis.com, has three interfaces:

	xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	        inet 192.109.197.82 netmask 0xffffffc0 broadcast 192.109.197.127
	        inet6 fe80::250:daff:fecf:17d3%xl0 prefixlen 64 scopeid 0x1 
	        ether 00:50:da:cf:17:d3 
	        media: autoselect (100baseTX <full-duplex>) status: active
	        supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
	ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	        inet 192.109.197.137 netmask 0xffffffc0 broadcast 192.109.197.191
	        inet6 fe80::280:adff:feb7:c9c7%ed1 prefixlen 64 scopeid 0x3 
	        ether 00:80:ad:b7:c9:c7 
	ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	        inet 192.109.197.137 --> 139.130.136.129 netmask 0xffffffc0 

	A boot request arrives from an IBM RS/6000 on the
	192.109.197.64/26 interface:

	11:49:59.954427 0.0.0.0.68 > 255.255.255.255.67:  xid:0x4013efe secs:1654 [|bootp] [tos 0x40] 

	The reply comes on this network (interface xl0), and it the
	correct interface address (.82), the source address belongs to
	interface ed1:

	11:49:59.963240 192.109.197.137.67 > 255.255.255.255.68:  xid:0x4013efe secs:1654 Y:192.109.197.78 S:192.109.197.82 [|bootp] [tos 0x10] 

	Since this message is a broadcast, the RS/6000 appears to
	accept it:

	11:49:59.965464 arp who-has 192.109.197.82 tell 192.109.197.78
	11:49:59.965553 arp reply 192.109.197.82 is-at 0:50:da:cf:17:d3

	Next, the RS/6000 send a request to the specified address.
	Again the reply comes from the wrong interface address.

	11:49:59.967973 192.109.197.78.68 > 192.109.197.82.67:  xid:0x4013f0c secs:1654 [|bootp] [tos 0x40] 
	11:49:59.968760 192.109.197.137.67 > 255.255.255.255.68:  xid:0x4013f0c secs:1654 Y:192.109.197.78 S:192.109.197.82 [|bootp] [tos 0x10] 

	Since the address is not valid, the RS/6000 drops it.  This
	results in a hang:

	11:49:59.972663 192.109.197.78.68 > 192.109.197.82.67:  xid:0x4013f10 secs:1654 [|bootp] [tos 0x40] 
	11:49:59.973486 192.109.197.137.67 > 255.255.255.255.68:  xid:0x4013f10 secs:1654 Y:192.109.197.78 S:192.109.197.82 [|bootp] [tos 0x10] 
	11:49:59.975113 192.109.197.78.68 > 192.109.197.82.67:  xid:0x4013f14 secs:1654 [|bootp] [tos 0x40] 
	11:49:59.975930 192.109.197.137.67 > 255.255.255.255.68:  xid:0x4013f14 secs:1654 Y:192.109.197.78 S:192.109.197.82 [|bootp] [tos 0x10] 
	11:49:59.979787 192.109.197.78.68 > 192.109.197.82.67:  xid:0x4013f17 secs:1654 [|bootp] [tos 0x40] 
	11:49:59.980593 192.109.197.137.67 > 255.255.255.255.68:  xid:0x4013f17 secs:1654 Y:192.109.197.78 S:192.109.197.82 file ""[|bootp] [tos 0x10] 
	11:49:59.982232 192.109.197.78.68 > 192.109.197.82.67:  htype-#6 hlen:6 xid:0x4013f1b secs:1654 [|bootp] [tos 0x40] 
	11:50:01.988901 192.109.197.78.68 > 192.109.197.82.67:  htype-#6 hlen:6 xid:0x40146f2 secs:1656 file ""[|bootp] [tos 0x40] 

>How-To-Repeat:

	May be difficult.  The machine is available for testing.

>Fix:

	Not known.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message