From nobody@FreeBSD.org  Tue Apr 11 18:33:51 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id EE27837BB46
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Apr 2000 18:33:50 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id SAA65648;
	Tue, 11 Apr 2000 18:33:49 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200004120133.SAA65648@freefall.freebsd.org>
Date: Tue, 11 Apr 2000 18:33:49 -0700 (PDT)
From: msmith@netapp.com
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: routed calls ntohs twice on the same field
X-Send-Pr-Version: www-1.0

>Number:         17939
>Category:       bin
>Synopsis:       routed calls ntohs twice on the same field
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 11 18:40:00 PDT 2000
>Closed-Date:    Tue Nov 27 10:35:21 PST 2001
>Last-Modified:  Tue Nov 27 10:35:54 PST 2001
>Originator:     Mark Smith
>Release:        3.4
>Organization:
Network Appliance
>Environment:
>Description:
In sbin/routed/rdisc.c, parse_ad() is called as follows:

          parse_ad(from.sin_addr.s_addr,
                   wp[0], wp[1],
                   ntohs(p->ad.icmp_ad_life),
                   ifp);

Thus, when we are in parse_ad() the 4th arg (life) is already in
host order.  Down at the bottom of parse_ad() we have this:

     new_drp->dr_life = ntohs(life);

It looks to me like this call to ntohs() ends up converting it
back to network order.  This causes routed to use the wrong value
when it uses dr_life elsewhere.

>How-To-Repeat:
This was found by code inspection.  The default value for life is
1800 which is 2055 when byte swapped so most people probably never
noticed.
>Fix:
Don't call ntohs() in parse_ad().

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Apr 12 02:37:48 PDT 2000 
Responsible-Changed-Why:  
I've mailed the author (Vernon Schryver <vjs@calcite.rhyolite.com>) 
and am awaiting his feedback. 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/17939: routed calls ntohs twice on the same field
Date: Mon, 17 Apr 2000 07:23:05 +0200

 Feedback from the author...
 
 ------- Forwarded Message
 
 Date: Sat, 15 Apr 2000 14:09:19 -0600 (MDT)
 From: Vernon Schryver <vjs@calcite.rhyolite.com>
 Message-Id: <200004152009.OAA27229@calcite.rhyolite.com>
 To: sheldonh@uunet.co.za
 Subject: Re: byte-swapping problem in FreeBSD routed
 
 > From: Sheldon Hearn <sheldonh@uunet.co.za>
 > To: "Vernon J. Schryver" <vjs@mica.denver.sgi.com>
 > Date: Wed, 12 Apr 2000 11:33:30 +0200
 
 > Hi Vernon,
 >
 > We've received a problem report (PR) which proposes that the lifetime
 > member of an advertisement is byte-swapped twice.  Could you take a look
 > at the PR and comment?
 >
 > 	http://www.freebsd.org/cgi-bin/query-pr.cgi?pr=17939
 
 Yes, it's a bug.  I think it's more serious than that PR suggests.
 
 I've built a bundle of version 2.20 in ftp://ftp.rhyolite.com/src/routed.tar.Z
 Besides your fix, I've cleaned up a few warnings from a new version of gcc.
 I also added some comments about the byte order of the lifetime.
 
 I wish I knew of a way to resolve the warning from the va_start()
 macro casting a const in typical varargs functions that use
 printf-style patterns.
 
 
 vjs
 
 
 ------- End of Forwarded Message
 
 
State-Changed-From-To: open->analyzed 
State-Changed-By: sheldonh 
State-Changed-When: Wed Aug 2 04:43:31 PDT 2000 
State-Changed-Why:  
Vernon's routed-2.21 fixes this problem and has been imported on 
the VJS vendor branch for HEAD.  In a few weeks, I plan to merge 
it onto the RELENG_4 branch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17939 
State-Changed-From-To: analyzed->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Nov 27 10:35:21 PST 2001 
State-Changed-Why:  
This problem was fixed on the RELENG_4 branch on 2000/08/14! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=17939 
>Unformatted:
