On Dec 7, 2010, at 14:19 , rozhuk...@gmail.com wrote:
> Hi!
>
>
Hi,
Sorry it has taken me a while to test this. In the first two cases I cannot
reproduce your results
on HEAD. I have attempted to test this with a modified arpwhohas.py script
using PCS (ports/net/pcs).
I can send very large requests and I see them arrive with tcpdump but the
kernel just throws them away.
I do not disagree that the code might be wrong, in particular in case 1, but I
cannot reproduce your results.
If you wish to share your test code with me that would be fine, or you can try
your test against HEAD
and let me know your result.
> 1. ah->ar_hln - is depend from ar_hrd?
> Yes, and for ARPHRD_ETHER is 6 (ETHER_ADDR_LEN)
> For ARPHRD_IEEE1394 - sizeof(struct fw_hwaddr)
> ah->ar_hln ignored in ether_output: bcopy(ar_tha(ah), edst, ETHER_ADDR_LEN);
>
> check in in_arpinput:
> if (ifp->if_addrlen != ah->ar_hln) {
> LLE_WUNLOCK(la);
> log(LOG_WARNING,
> "arp from %*D: addr len: new %d, i/f %d
> (ignored)",
> ifp->if_addrlen, (u_char *) ar_sha(ah), ":",
> ah->ar_hln, ifp->if_addrlen);
> goto reply;
> }
> NO DROP!!!!
> In reply we get:
> (void)memcpy(ar_tha(ah), ar_sha(ah), ah->ar_hln);
> (void)memcpy(ar_sha(ah), enaddr, ah->ar_hln);
> Or
> (void)memcpy(ar_tha(ah), ar_sha(ah), ah->ar_hln);
> (void)memcpy(ar_sha(ah), &lle->ll_addr, ah->ar_hln);
>
> How to use it see below.
>
>
> 2. ah->ar_pln - does not checked!
> We can make big arp request (512 nulls after struct arphdr + 2*6 + 2*4) ,
> valid for host, set ar_plt = 255
> And in reply will receive part of stack or core panic:
> in_arpinput:
> (void)memcpy(ar_spa(ah), &itaddr, ah->ar_pln);
> ...
> m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);
> ( eq arphdr_len(ah) )
>
>
>
> 3. ar_sha(ah) - does not checked for multicast!
> Answers to request my be send to multicast addrs
> Only broadcast and host addr are checked.
> No check is ar_sha(ah) equal to Ethernet.ether_shost
> As result:
> arp -an
> ? (172.16.0.2) at 01:80:c2:00:00:01 on em0 expires in 118 seconds [ethernet]
>
>
>
> 4. holded packet my be sended without any locks
>
> Current:
> if (la->la_hold != NULL) {
> struct mbuf *m_hold, *m_hold_next;
>
> bcopy(L3_ADDR(la), &sa, sizeof(sa));
> LLE_WUNLOCK(la);
> for (m_hold = la->la_hold, la->la_hold = NULL;
> m_hold != NULL; m_hold = m_hold_next) {
> m_hold_next = m_hold->m_nextpkt;
> m_hold->m_nextpkt = NULL;
> (*ifp->if_output)(ifp, m_hold, &sa, NULL);
> }
> } else
> LLE_WUNLOCK(la);
> la->la_hold = NULL;
> la->la_numheld = 0;
>
> Here we unlock la and then modify them - this is bad idea!
> Patched - see in attached patch.
>
This is now fixed in HEAD. Thanks!
Best,
George
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
