On 15 April 2014 08:34, Otto Moerbeek <o...@drijf.net> wrote:
> On Mon, Apr 14, 2014 at 09:32:43PM -0400, sven falempin wrote:
>
>> so i got gdb back to the machine because i cannot reproduce outside of the
>> box.
>> gdb too old cannot gcore.
>>
>> The state is nasty, but i do get the trace of the dhcp transaction.
>>
>> [..]
>> DHCPREQUEST on trunk0 to 255.255.255.255 port 67
>> DHCPACK from 10.0.0.254 (96:4f:87:9c:ad:67)
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x1c005b26 in add_classless_static_routes (rdomain=13684944,
>> classless_static_routes=0x0) at /usr/src/sbin/dhclient/dhclient.c:2408
>> 2408 /usr/src/sbin/dhclient/dhclient.c: No such file or directory.
>> in /usr/src/sbin/dhclient/dhclient.c
>> (gdb) bt
>> #0 0x1c005b26 in add_classless_static_routes (rdomain=13684944,
>> classless_static_routes=0x0) at /usr/src/sbin/dhclient/dhclient.c:2408
>> #1 0xd0d0d0d0 in ?? ()
>> #2 0x00d0d0d0 in ?? ()
>> #3 0x00000000 in ?? ()
>
> ... the line in 5.4 is :
>
> 2405: i += bytes;
> 2406:
> 2407: memset(&gateway, 0, sizeof(gateway));
> 2408: memcpy(&gateway, &classless_static_routes->data[i], 4);
>
> The memcpy segfaults.
Not surprising *if* the gdb info is correct and the pointer parameter
'classless_static_routes' is NULL. :-)
> Current and 5.5 have a rewritten version of this code.
> Can you reproduce on current?
That would be good to check, but if there a NULL pointer being passed
I fear it will still fault.
>
> -Otto
>
[snip]
>>
>> 1397524674.011308 96:4f:87:9c:ad:67 fe:e1:ba:d0:8e:d0 0800 373:
>> 10.0.0.254.67 > 10.0.0.126.68: xid:0x95ce17 Y:10.0.0.126 S:10.0.0.254
>> vend-rfc1048 DHCP:ACK SID:10.0.0.254 LT:43200 RN:21600 RB:37800
>> SM:255.255.255.0 BR:10.0.0.255 HN:"ulis-v12-GW"
>> T121:415279105,3232236030,415279114,3232236030,3232236030,167772414
>> NS:10.0.0.254 DG:10.0.0.254 (DF)
>> 0000: fee1 bad0 8ed0 964f 879c ad67 0800 4500 .......O...g..E.
>> 0010: 0167 0000 4000 4011 240b 0a00 00fe 0a00 .g..@.@.$.......
>> 0020: 007e 0043 0044 0153 9aa6 0201 0600 0095 .~.C.D.S........
>> 0030: ce17 0000 0000 0000 0000 0a00 007e 0a00 .............~..
>> 0040: 00fe 0000 0000 fee1 bad0 8ed0 0000 0000 ................
>> 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0110: 0000 0000 0000 6382 5363 3501 0536 040a ......c.Sc5..6..
>> 0120: 0000 fe33 0400 00a8 c03a 0400 0054 603b ...3.....:...T`;
>> 0130: 0400 0093 a801 04ff ffff 001c 040a 0000 ................
>> 0140: ff0c 0b75 6c69 732d 7631 322d 4757 7918 ...ulis-v12-GWy.
>> 0150: 18c0 a801 c0a8 01fe 18c0 a80a c0a8 01fe ................
>> 0160: c0a8 01fe 0a00 00fe 0604 0a00 00fe 0304 ................
>> 0170: 0a00 00fe ff .....
>
Pulling out the options provided we get
Options
=======
6382 5363 /* Cookie */
35 01 05 /* DHCP message type */
36 04 0a 00 00 fe /* DHCP server id */
33 04 00 00 a8 c0 /* DHCP lease time */
3a 04 00 00 54 60 /* DHCP renewal time */
3b 04 00 00 93 a8 /* DHCP rebinding time */
01 04 ff ff ff 00 /* Subnet Mask */
1c 04 0a 00 00 ff /* Broadcast Address */
0c 0b 75 6c 69 73 2d 76 31 32 2d 47 57 /* Hostname */
79 18 18 c0 a8 01 c0 a8 01 fe 18 c0 a8 0a c0 a8 01 fe c0 a8 01 fe 0a
00 00 fe /Classless static routes */
06 04 0a 00 00 fe /* Domain Name Servers */
03 04 0a 00 00 fe /* Routers */
ff /* End of Options */
And looking at the classless static routes closer we see
79 18
18 c0 a8 01 c0 a8 01 fe /* 192.168.1/24 via 192.168.1.254 */
18 c0 a8 0a c0 a8 01 fe /* 192.168.10/24 via 192.168.1.254 */
c0 a8 01 fe 0a 00 00 fe /* ??? */
Where the last one is, to use the technical term, fucked. It seems to
specify a network with 'c0' == 192 bits. I can't see how this would
cause
a NULL pointer to be passed though.
.... Ken
