Date: Wed, 15 Feb 1995 17:13:29 GMT From: Ollivier Robert <Ollivier.Robert@hsc.fr.net> To: freebsd-hackers@FreeBSD.org Subject: BUG in 4.4 raw_ip.c (fwd) Message-ID: <199502151713.SAA06581@sidhe.hsc-sec.fr> In-Reply-To: <3ht7f9$5v5@ra.nrl.navy.mil>
next in thread | previous in thread | raw e-mail | index | archive | help
Found in comp.os.386bsd.bugs. Don't know if it's fixed in FreeBSD or not.
------- start of forwarded message -------
From: danmcd@sundance.itd.nrl.navy.mil (Dan McDonald)
Newsgroups: comp.bugs.4bsd,comp.unix.bsd,comp.os.386bsd.bugs,comp.protocols.tcp-ip
Subject: BUG in 4.4 raw_ip.c
Date: 15 Feb 1995 15:43:37 GMT
Organization: Information Technology Division, Naval Research Laboratory
There is an obscure bug in 4.4 BSD (including 4.4-Lite) which affect raw
sockets that are bound to an address.
The fix is all of two characters, which inverts two tests in raw_ip.c. The
following is a context diff:
=====================(Cut up to and including here.)======================
armitage(sys/netinet)[0]% diff -c raw_ip.c /usr/src/sys/netinet/raw_ip.c
*** raw_ip.c Wed Feb 15 07:28:07 1995
--- /usr/src/sys/netinet/raw_ip.c Fri Dec 16 13:10:14 1994
***************
*** 93,102 ****
if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != ip->ip_p)
continue;
if (inp->inp_laddr.s_addr &&
! inp->inp_laddr.s_addr != ip->ip_dst.s_addr)
continue;
if (inp->inp_faddr.s_addr &&
! inp->inp_faddr.s_addr != ip->ip_src.s_addr)
continue;
if (last) {
struct mbuf *n;
--- 93,102 ----
if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != ip->ip_p)
continue;
if (inp->inp_laddr.s_addr &&
! inp->inp_laddr.s_addr == ip->ip_dst.s_addr)
continue;
if (inp->inp_faddr.s_addr &&
! inp->inp_faddr.s_addr == ip->ip_src.s_addr)
continue;
if (last) {
struct mbuf *n;
=====================(Cut up to and including here.)======================
To determine if your system is affected by this bug, here is code to test
it. (You will need to be root to run this...)
=====================(Cut up to and including here.)======================
/*
* test.c -- Silly program to test raw socket. Run without an argument
* to send. Run with an argument to receive.
*
* Daniel L. McDonald - U. S. Naval Research Laboratory
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
main(int argc)
{
int s;
s = socket(PF_INET,SOCK_RAW,69); /* 69, AFAIK, is not an
assigned protocol. */
if (s == -1)
{
perror("socket");
exit(1);
}
printf("argc = %d\n",argc);
if (argc > 1)
{
char *buf="Hello";
struct sockaddr_in dst = {AF_INET};
int rc;
dst.sin_addr.s_addr = htonl(0x7f000001); /* send it over loopback. */
rc = connect(s,&dst,sizeof(struct sockaddr_in));
if (rc == -1)
perror("connect");
else if ((rc = send(s,buf,strlen(buf)+1,0)) == -1)
perror("send");
else printf("%d bytes sent.\n",rc);
}
else
{
char buf[30];
struct sockaddr_in src={AF_INET,0, htonl(0x7f000001)};
int srclen,rc;
bzero(buf,10);
rc=bind(s,&src,sizeof(struct sockaddr_in));
if (rc == -1)
perror("bind");
else if ((rc=recvfrom(s,buf,30,0,&src,&srclen)) != -1)
printf("Got '%s' (%d bytes total) from %s, srclen %d\n",buf+20,rc,
inet_ntoa(src.sin_addr),srclen);
else perror("recvfrom");
}
}
=====================(Cut up to and including here.)======================
A few people had been notified of this earlier. I apologize for not
informing everyone sooner.
Enjoy!
--
Daniel L. McDonald | Mail: danmcd@itd.nrl.navy.mil -------------------------+
Computer Scientist | WWW: http://wintermute.itd.nrl.navy.mil/danmcd.html |
Naval Research Lab | Phone: (202) 404-7122 #include <disclaimer.h> |
Washington, DC | "Rise from the ashes, A blaze of everyday glory" - Rush +
------- end of forwarded message -------
--
Ollivier ROBERT -=-=- Hervi Schauer Consultants -=-=- roberto@hsc.fr.net
-=-=-=-=-=- Support The Free UNIX Systems ! FreeBSD NetBSD Linux -=-=-=-=-=-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199502151713.SAA06581>