From jeremyp@gsmx07.alcatel.com.au  Wed Jan 28 16:12:34 2004
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 88E5A16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Jan 2004 16:12:34 -0800 (PST)
Received: from alcanet.com.au (mail2.alcanet.com.au [203.62.196.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DA4E243D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 28 Jan 2004 16:12:28 -0800 (PST)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: from sydsmtp02.alcatel.com.au (localhost.localdomain [127.0.0.1])
	by alcanet.com.au (8.12.9/8.12.9/Alcanet1.3) with ESMTP id i0T0CMZr015849;
	Thu, 29 Jan 2004 11:12:22 +1100
Received: from gsmx07.alcatel.com.au ([139.188.20.247])
          by sydsmtp02.alcatel.com.au (Lotus Domino Release 5.0.12)
          with ESMTP id 2004012911122156:14496 ;
          Thu, 29 Jan 2004 11:12:21 +1100 
Received: from gsmx07.alcatel.com.au (localhost [127.0.0.1])
	by gsmx07.alcatel.com.au (8.12.9p2/8.12.9) with ESMTP id i0T0CLHQ052874;
	Thu, 29 Jan 2004 11:12:21 +1100 (EST)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: (from jeremyp@localhost)
	by gsmx07.alcatel.com.au (8.12.9p2/8.12.9/Submit) id i0T0CKvR052873;
	Thu, 29 Jan 2004 11:12:20 +1100 (EST)
	(envelope-from jeremyp)
Message-Id: <200401290012.i0T0CKvR052873@gsmx07.alcatel.com.au>
Date: Thu, 29 Jan 2004 11:12:20 +1100 (EST)
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] Incorrect expansion of "MYADDR" in ppp(8)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         62050
>Category:       bin
>Synopsis:       [PATCH] Incorrect expansion of "MYADDR" in ppp(8)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 28 16:20:11 PST 2004
>Closed-Date:    Sun Jul 18 01:02:40 GMT 2004
>Last-Modified:  Sun Jul 18 01:02:40 GMT 2004
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
Alcatel Australia Limited
>Environment:
System: FreeBSD gsmx07.alcatel.com.au 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #0: Fri Dec 19 07:22:50 EST 2003 root@aalp03.alcatel.com.au:/mnt/obj/mnt/rpc/src/sys/gsmx i386

>Description:
	The literal "MYADDR" is incorrectly expanded to the IP address
	associated with the hostname rather than the address defined in
	a previous "set ifaddr" command.

	Code inspection indicates that the faulty code was introduced
	in command.c v1.268 and MFCd in v1.230.2.16

>How-To-Repeat:
	Using the default ppp and ppp.conf from 4.9p1, enter the following
	commands:
gsmx07# ppp
Working in interactive mode
Using interface: tun0
ppp ON gsmx07> set ifaddr 10.1.1.1 10.1.1.2
ppp ON gsmx07> ! echo MYADDR HISADDR
ppp: Pausing until echo finishes
xxx.yyy.xxx.ttt 10.1.1.2
ppp ON gsmx07> 
	(Where xxx.yyy.zzz.ttt is the IP address associated with gsmx07).

	A ppp patched as below responds as expected
gsmx07# /tmp/ppp                         
Working in interactive mode
Using interface: tun0
ppp ON gsmx07> set ifaddr 10.1.1.1 10.1.1.2
ppp ON gsmx07> ! echo MYADDR HISADDR
ppp: Pausing until echo finishes
10.1.1.1 10.1.1.2
ppp ON gsmx07>

>Fix:

	command.c:SetInterfaceAddr() defines "ncpaddr" as a local
	variable and it is unused prior to the code in the patch below.
	ncp->ipcp.cfg.my_range is initialised from the first argument
	to "set ifaddr".  Both ncpaddr_getip4() and ncprange_getaddr()
	copy data (including the source IP address) from the first
	argument to the second argument.  The existing order means that 
	ncpaddr is referenced before it is set.  It is unclear to me
	why using the (undefined) content of ncpaddr results in the
	IP address associated with the hostname being used.

Index: command.c
===================================================================
RCS file: /usr/ncvs/src/usr.sbin/ppp/command.c,v
retrieving revision 1.230.2.20
diff -u -r1.230.2.20 command.c
--- command.c   11 Aug 2003 09:35:50 -0000      1.230.2.20
+++ command.c   28 Jan 2004 02:51:14 -0000
@@ -1576,8 +1576,8 @@
   }
 
   /* 0.0.0.0 means any address (0 bits) */
-  ncpaddr_getip4(&ncpaddr, &ncp->ipcp.my_ip);
   ncprange_getaddr(&ncp->ipcp.cfg.my_range, &ncpaddr);
+  ncpaddr_getip4(&ncpaddr, &ncp->ipcp.my_ip);
   if (ncp->ipcp.my_ip.s_addr == INADDR_ANY)
     ncprange_setwidth(&ncp->ipcp.cfg.my_range, 0);
   bundle_AdjustFilters(arg->bundle, &ncpaddr, NULL);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: vs 
Responsible-Changed-When: Thu Jul 15 09:06:48 GMT 2004 
Responsible-Changed-Why:  
Brian's territory 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62050 
State-Changed-From-To: open->patched 
State-Changed-By: brian 
State-Changed-When: Thu Jul 15 09:25:04 GMT 2004 
State-Changed-Why:  
I've committed to -current and will MFC in 3 days if there are no problems. 

Interestingly enough, the call to ncpaddr_getip4addr() with an uninitialised 
first argument resulted in a no-op (well, most of the time!) because 
ncpaddr.ncpaddr_family != AF_INET. 

Thanks to the submitter for finding this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62050 
State-Changed-From-To: patched->closed 
State-Changed-By: brian 
State-Changed-When: Sun Jul 18 01:01:15 GMT 2004 
State-Changed-Why:  
The fix has been MFC'd 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62050 
>Unformatted:
