On Tue, Apr 15, 2014 at 8:05 AM, Otto Moerbeek <o...@drijf.net> wrote:
> > > Op 15 apr. 2014 om 13:13 heeft Kenneth Westerback <kwesterb...@gmail.com> > het volgende geschreven: > > > >> On 15 April 2014 08:34, Otto Moerbeek <o...@drijf.net> wrote: > >>> On Mon, Apr 14, 2014 at 09:32:43PM -0400, sven falempin wrote: > >>> > >>> so i got gdb back to the machine because i cannot reproduce outside of > the box. > >>> gdb too old cannot gcore. > >>> > >>> The state is nasty, but i do get the trace of the dhcp transaction. > >>> > >>> [..] > >>> DHCPREQUEST on trunk0 to 255.255.255.255 port 67 > >>> DHCPACK from 10.0.0.254 (96:4f:87:9c:ad:67) > >>> > >>> Program received signal SIGSEGV, Segmentation fault. > >>> 0x1c005b26 in add_classless_static_routes (rdomain=13684944, > >>> classless_static_routes=0x0) at /usr/src/sbin/dhclient/dhclient.c:2408 > >>> 2408 /usr/src/sbin/dhclient/dhclient.c: No such file or directory. > >>> in /usr/src/sbin/dhclient/dhclient.c > >>> (gdb) bt > >>> #0 0x1c005b26 in add_classless_static_routes (rdomain=13684944, > >>> classless_static_routes=0x0) at /usr/src/sbin/dhclient/dhclient.c:2408 > >>> #1 0xd0d0d0d0 in ?? () > >>> #2 0x00d0d0d0 in ?? () > >>> #3 0x00000000 in ?? () > >> > >> ... the line in 5.4 is : > >> > >> 2405: i += bytes; > >> 2406: > >> 2407: memset(&gateway, 0, sizeof(gateway)); > >> 2408: memcpy(&gateway, &classless_static_routes->data[i], 4); > >> > >> The memcpy segfaults. > > > > Not surprising *if* the gdb info is correct and the pointer parameter > > 'classless_static_routes' is NULL. :-) > > > >> Current and 5.5 have a rewritten version of this code. > >> Can you reproduce on current? > > > > That would be good to check, but if there a NULL pointer being passed > > I fear it will still fault. > > > >> > >> -Otto > > > > [snip] > > > >>> > >>> 1397524674.011308 96:4f:87:9c:ad:67 fe:e1:ba:d0:8e:d0 0800 373: > >>> 10.0.0.254.67 > 10.0.0.126.68: xid:0x95ce17 Y:10.0.0.126 S:10.0.0.254 > >>> vend-rfc1048 DHCP:ACK SID:10.0.0.254 LT:43200 RN:21600 RB:37800 > >>> SM:255.255.255.0 BR:10.0.0.255 HN:"ulis-v12-GW" > >>> T121:415279105,3232236030,415279114,3232236030,3232236030,167772414 > >>> NS:10.0.0.254 DG:10.0.0.254 (DF) > >>> 0000: fee1 bad0 8ed0 964f 879c ad67 0800 4500 .......O...g..E. > >>> 0010: 0167 0000 4000 4011 240b 0a00 00fe 0a00 .g..@.@.$....... > >>> 0020: 007e 0043 0044 0153 9aa6 0201 0600 0095 .~.C.D.S........ > >>> 0030: ce17 0000 0000 0000 0000 0a00 007e 0a00 .............~.. > >>> 0040: 00fe 0000 0000 fee1 bad0 8ed0 0000 0000 ................ > >>> 0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0100: 0000 0000 0000 0000 0000 0000 0000 0000 ................ > >>> 0110: 0000 0000 0000 6382 5363 3501 0536 040a ......c.Sc5..6.. > >>> 0120: 0000 fe33 0400 00a8 c03a 0400 0054 603b ...3.....:...T`; > >>> 0130: 0400 0093 a801 04ff ffff 001c 040a 0000 ................ > >>> 0140: ff0c 0b75 6c69 732d 7631 322d 4757 7918 ...ulis-v12-GWy. > >>> 0150: 18c0 a801 c0a8 01fe 18c0 a80a c0a8 01fe ................ > >>> 0160: c0a8 01fe 0a00 00fe 0604 0a00 00fe 0304 ................ > >>> 0170: 0a00 00fe ff ..... > > > > Pulling out the options provided we get > > > > Options > > ======= > > > > 6382 5363 /* Cookie */ > > 35 01 05 /* DHCP message type */ > > 36 04 0a 00 00 fe /* DHCP server id */ > > 33 04 00 00 a8 c0 /* DHCP lease time */ > > 3a 04 00 00 54 60 /* DHCP renewal time */ > > 3b 04 00 00 93 a8 /* DHCP rebinding time */ > > 01 04 ff ff ff 00 /* Subnet Mask */ > > 1c 04 0a 00 00 ff /* Broadcast Address */ > > 0c 0b 75 6c 69 73 2d 76 31 32 2d 47 57 /* Hostname */ > > 79 18 18 c0 a8 01 c0 a8 01 fe 18 c0 a8 0a c0 a8 01 fe c0 a8 01 fe 0a > > 00 00 fe /Classless static routes */ > > 06 04 0a 00 00 fe /* Domain Name Servers */ > > 03 04 0a 00 00 fe /* Routers */ > > ff /* End of Options */ > > > > > > And looking at the classless static routes closer we see > > > > 79 18 > > 18 c0 a8 01 c0 a8 01 fe /* 192.168.1/24 via 192.168.1.254 */ > > 18 c0 a8 0a c0 a8 01 fe /* 192.168.10/24 via 192.168.1.254 */ > > c0 a8 01 fe 0a 00 00 fe /* ??? */ > > > > Where the last one is, to use the technical term, fucked. It seems to > > specify a network with 'c0' == 192 bits. I can't see how this would > > cause > > a NULL pointer to be passed though. > > > > .... Ken > > I think the NULL is a red herring. If I see thing correctly the value > comes from an & expression which should never be NULL. It's pretty common > for gdb to get locals or rags wrong or maybe the stack is smashed. > > -Otto I cannot reproduce the same dhcp packet using same configuration and software on a snapshots (scary but not openBSD problem) so i try to replay attack and not repoduce on last snapshots using this (but the client is also not accepting the packet :s): #!/usr/bin/perl use strict; use warnings; use IO::Socket::INET; $| = 1; (my $socket,my $received_data); (my $peer_address,my $peer_port); $socket = new IO::Socket::INET ( LocalPort => '67', Proto => 'udp', ) or die "ERROR in Socket Creation : $!"; binmode $socket, 'raw'; # read operation on the socket $socket->recv($received_data,1024); my $data = "\x02\x01\x06\x00\xe8\x28\x60\xe2\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x53\x0a\x00\x00\xfe\x00\x00\x00\x00\x12\xfa\xd0\xf8\x1c\xf7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $data = $data."\x63\x82\x53\x63\x35\x01\x05\x36\x04\x0a\x00\x00\xfe\x33\x04\x00\x00\xa8\xc0\x3a\x04\x00\x00\x54\x60\x3b\x04\x00\x00\x93\xa8\x01\x04\xff\xff\xff\x00\x1c\x04\x0a\x00\x00\xff\x0c\x0b\x75\x6c\x69\x73\x2d\x76\x31\x32\x2d\x47\x57\x79\x18\x18\xc0\xa8\x01\xc0\xa8\x01\xfe\x18\xc0\xa8\x0a\xc0\xa8\x01\xfe\xc0\xa8\x01\xfe\x0a\x00\x00\xfe\x06\x04\x0a\x00\x00\xfe\x03\x04\x0a\x00\x00\xfe\xff"; $socket->send($data,0); print "heeeeelllllllllo"; sleep 1; $socket->close(); -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\