From sudish@mindspring.com  Wed May 30 02:31:11 2001
Return-Path: <sudish@mindspring.com>
Received: from ra.eng.mindspring.net (ra.eng.mindspring.net [207.69.192.184])
	by hub.freebsd.org (Postfix) with SMTP id 8EA4937B422
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 May 2001 02:31:10 -0700 (PDT)
	(envelope-from sudish@mindspring.com)
Received: (qmail 1446 invoked by uid 52477); 30 May 2001 09:31:01 -0000
Message-Id: <yviar8x7xjxm.fsf@ra.eng.mindspring.net>
Date: 30 May 2001 05:31:01 -0400
From: Sudish Joseph <sudish@mindspring.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: /usr/bin/ppp issues unaligned accesses and core dumps on an alpha
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27766
>Category:       alpha
>Synopsis:       /usr/bin/ppp issues unaligned accesses and core dumps on alpha (patch included)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-alpha
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 30 02:40:01 PDT 2001
>Closed-Date:    Wed May 30 08:53:15 PDT 2001
>Last-Modified:  Wed May 30 08:53:47 PDT 2001
>Originator:     Sudish Joseph
>Release:        FreeBSD 4.3-STABLE alpha
>Organization:
>Environment:
System: FreeBSD aleph.weenal.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 30 02:26:09 GMT 2001 root@aleph.weenal.com:/usr/obj/usr/src/sys/SUDISH alpha
>Description:
/usr/sbin/ppp attempts unaligned accesses when resolving dns queries.
On an alpha this can and does cause a core dump.  The patch below removes
the unaligned access.
>How-To-Repeat:
Run /usr/bin/ppp on an alpha and do anything that causes ppp to do dns
lookups.  For instance, try a traceroute without -n.  Given the right 
dns reply packet -- one with unaligned data -- ppp dumps core.
>Fix:
The following patch replaces the unaligned access with a bcopy(), which
fixes the problem.

--- /usr/src/usr.sbin/ppp/ip.c	Thu May 17 19:11:47 2001
+++ /usr/src/usr.sbin/ppp/ip.c	Tue May 29 06:10:34 2001
@@ -452,6 +452,7 @@
   const u_char *ptr;
   u_short *hptr;
   int len;
+  u_short tmp;
 
   ptr = (const char *)uh + sizeof *uh;
   len = ntohs(uh->uh_ulen) - sizeof *uh;
@@ -489,8 +490,10 @@
       n += len;
     }
     *n = '\0';
-    qtype = dns_Qtype2Txt(ntohs(*(const u_short *)end));
-    qclass = dns_Qclass2Txt(ntohs(*(const u_short *)(end + 2)));
+    bcopy(end, &tmp, sizeof(tmp));
+    qtype = dns_Qtype2Txt(ntohs(tmp));
+    bcopy(end + 2, &tmp, sizeof(tmp));
+    qclass = dns_Qclass2Txt(ntohs(tmp));
 
     log_Printf(LogDNS, "%sbound query %s %s %s\n",
                direction, qclass, qtype, namewithdot);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Wed May 30 08:53:15 PDT 2001 
State-Changed-Why:  
Fixed in -current - thanks. 
I'll MFC the change in 2 weeks. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27766 
>Unformatted:
