[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kernel/1824: sendmsg and raw_ip.c

To: gnats@openbsd.org
Subject: kernel/1824: sendmsg and raw_ip.c
From: hal@vailsys.com
Date: Wed, 16 May 2001 00:19:51 -0500 (CDT)
Resent-Date: Wed, 16 May 2001 05:20:03 -0600 (MDT)
Resent-From: gnats@cvs.openbsd.org (GNATS Management)
Resent-Message-Id: <200105161120.f4GBK3f07436@cvs.openbsd.org>
Resent-Reply-To: gnats@cvs.openbsd.org, hal@vailsys.com
Resent-To: bugs@cvs.openbsd.org


>Number:         1824
>Category:       kernel
>Synopsis:       sendmsg fails with EINVAL when it shouldn't
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 16 05:20:01 MDT 2001
>Last-Modified:
>Originator:     Hal Snyder
>Organization:
Vail Systems
net
>Release:        OpenBSD-2.9 current, older versions
>Environment:
	
	System      : OpenBSD 2.9
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:
	sendmsg() is failing in Zebra's ospfd/ospfd_packet.c with error message
	  *** sendto in ospf_write failed with Invalid argument
        but arguments to sendmsg() look ok

        doing kernel printf from sys/netinet/raw_ip.c:rip_output shows that in the
	test
                if ((ip->ip_hl != (sizeof (*ip) >> 2) && inp->inp_options) ||
                    ip->ip_len > m->m_pkthdr.len ||
                    ip->ip_len < ip->ip_hl << 2) {
                        m_freem(m);
                        return (EINVAL);
                }

	the second comparison is failing with ip->ip_len=16384 and 
          m->m_pkthdr.len=64

	this suggests that the preceding lines
                NTOHS(ip->ip_len);
                NTOHS(ip->ip_off);
	are incorrect. Indeed, removing them stops the ospfd error messages
        and starts communication with other routers.


>How-To-Repeat:
	run any recent zebra ospfd; watch /var/log/daemon
>Fix:
	I am not familiar enough with the IP code to guarantee that this fix
	is sane and doesn't break something else. Somebody who knows OpenBSD IP
	better should sanity check it. But the patch does solve the immediate
	problem.


Index: raw_ip.c
===================================================================
RCS file: /cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.21
diff -c -r1.21 raw_ip.c
*** raw_ip.c	2000/09/19 03:20:59	1.21
--- raw_ip.c	2001/05/16 09:45:14
***************
*** 211,218 ****
  			return (EMSGSIZE);
  		}
  		ip = mtod(m, struct ip *);
! 		NTOHS(ip->ip_len);
! 		NTOHS(ip->ip_off);
  		/*
  		 * don't allow both user specified and setsockopt options,
  		 * and don't allow packet length sizes that will crash
--- 211,217 ----
  			return (EMSGSIZE);
  		}
  		ip = mtod(m, struct ip *);
! 
  		/*
  		 * don't allow both user specified and setsockopt options,
  		 * and don't allow packet length sizes that will crash

>Audit-Trail:
>Unformatted:

Prev by Date: Re: user/1819
Next by Date: Re: kernel/1824
Prev by thread: Re: user/1819
Next by thread: Re: kernel/1824
Index(es):
- Date
- Thread