[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dhcpd misbehaviour with relay agents



Hello !

When a BOOTP relay agent send this packet to an OpenBSD dhcpd server:

15:07:50.961302 0:f:66:c9:28:3f 0:c:f1:fa:f1:4b ip 342:
thorr.bootps > nectaris.bootps:  [udp
sum ok] (request) xid:0xc67c41f G:thorr ether
0:30:65:d:31:85 vend-rfc1048 DHCP:REQUEST RQ:guybrush
PR:SM+BR+TZ+DG+DN+NS+HN (DF) (ttl 64, id 0)

Here is the answer I get:

15:07:50.961634 0:c:f1:fa:f1:4b 0:30:65:d:31:85 ip 348:
nectaris.crans.org.bootps > thorr.bootps:  [udp sum ok]
(reply) xid:0xc67c41f Y:guybrush
S:nectaris G:thorr vend-rfc1048 DHCP:ACK
SID:nectaris.crans.org LT:2152792320 SM:255.255.252.0
BR:138.231.151.255 DG:nectaris DN:"wifi"
NS:nectaris HN:"guybrush" [tos 0x10] (ttl 16, id 0)

The answer is almost correct, except that it is addressed to
0:30:65:d:31:85 which is the client, instead of 0:f:66:c9:28:3f which
is the BOOTP relay agent.

The RFC 2131 states that :
   If the 'giaddr' field in a DHCP  message from a client is non-zero,
   the server  sends any return messages  to the 'DHCP server' port on
   the BOOTP relay agent whose address appears in 'giaddr'.

Looking at the sources, I notice that on all cases, the destination
ethernet address is set with this line :

         memcpy(hto.haddr, packet->raw->chaddr, hto.hlen);

The IP destination address is set afterwards with distinct cases for
gatewayed packet and direct packet. I think, a similar case should be
made for the destination hardware address. However, the modification
is not trivial since I don't see how to get the hardware address of
the gateway.
-- 
NON-FLAMMABLE, IS NOT A CHALLENGE
NON-FLAMMABLE, IS NOT A CHALLENGE
NON-FLAMMABLE, IS NOT A CHALLENGE
-+- Bart Simpson on chalkboard in episode BABF13



Visit your host, monkey.org