From nobody@FreeBSD.org  Thu May 13 02:54:36 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9BC91106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 May 2010 02:54:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 893A08FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 May 2010 02:54:36 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o4D2saSx023902
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 May 2010 02:54:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o4D2saWZ023887;
	Thu, 13 May 2010 02:54:36 GMT
	(envelope-from nobody)
Message-Id: <201005130254.o4D2saWZ023887@www.freebsd.org>
Date: Thu, 13 May 2010 02:54:36 GMT
From: "Earl R. Lapus" <earl.lapus@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [icmpv6] wrong source address in echo reply
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         146534
>Category:       kern
>Synopsis:       [icmp6] wrong source address in echo reply
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 03:00:07 UTC 2010
>Closed-Date:    
>Last-Modified:  Sat Sep 18 23:00:07 UTC 2010
>Originator:     Earl R. Lapus
>Release:        FreeBSD 8.0-STABLE
>Organization:
>Environment:
FreeBSD fbsd8-ndp.infoweapons.com 8.0-STABLE FreeBSD 8.0-STABLE #9: Wed May 12 21:50:07 PHT 2010     root@fbsd8-ndp.infoweapons.com:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
When pinging a Global Address of a host -- say host A -- from another machine -- say host B -- using the Link-Local Address as source, the echo reply message will use host A's Link-Local Address instead of it's Global Address as the source address (see how-to-repeat part for a more detailed description).

When removing a particular "fix" from the sys/netinet6/icmp6.c code, ping will now use the Global-Address as the source in the echo reply message (see fix-to-the-problem-if-known part for a more detailed description).

I'm using 8.0-STABLE as of 2010/04/28.
>How-To-Repeat:
The setup is as follows,

hostname: fbsd8-ndp
-----------------------
fbsd8-ndp# ifconfig fxp1
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
        ether 00:08:9b:10:07:3d
        inet6 fe80::208:9bff:fe10:73d%fxp1 prefixlen 64 scopeid 0x2
        inet6 3ffe:501:ffff:100:208:9bff:fe10:73d prefixlen 64                                                                                                 
        inet6 3ffe:501:ffff:100:: prefixlen 64 anycast
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

hostname: fbsd72-i386-tn
------------------------
fbd72-i386-tn# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:03:47:de:f2:d8
        inet6 fe80::203:47ff:fede:f2d8%fxp0 prefixlen 64 scopeid 0x2
        inet6 3ffe:501:ffff:100::200 prefixlen 64
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

1) fbsd8-ndp's fxp1 interface is connected directly to fbd72-i386-tn's fxp0 interface (cross connect)
2) ping6 is sent from fbd72-i386-tn to fbsd8-ndp
3) when pinging, set the source address to fbd72-i386-tn's link-local address

Results:
fbsd72-i386-tn# ping6 -S fe80::203:47ff:fede:f2d8%fxp0 3ffe:501:ffff:100:208:9bff:fe10:73d
PING6(56=40+8+8 bytes) fe80::203:47ff:fede:f2d8%fxp0 --> 3ffe:501:ffff:100:208:9bff:fe10:73d
16 bytes from fe80::208:9bff:fe10:73d%fxp0, icmp_seq=0 hlim=64 time=0.383 ms
16 bytes from fe80::208:9bff:fe10:73d%fxp0, icmp_seq=1 hlim=64 time=0.236 ms
16 bytes from fe80::208:9bff:fe10:73d%fxp0, icmp_seq=2 hlim=64 time=0.208 ms
16 bytes from fe80::208:9bff:fe10:73d%fxp0, icmp_seq=3 hlim=64 time=0.199 ms
^C
--- 3ffe:501:ffff:100:208:9bff:fe10:73d ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.199/0.257/0.383/0.074 ms

** You can see that the echo reply from fbsd8-ndp uses fe80::208:9bff:fe10:73d%fxp0 as the source address
>Fix:
This modification (http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.118;r2=1.119;f=h) was applied to 8.x branches. If the modification is not applied to the source, echo reply works as expected.

Since it was only applied to 8.x branches, I'm *assuming* that this behavior does not occur in 7.x branches.

Below is the ping result when kernel is recompiled without the said modiciation (source address is now the Global-Address):

fbd72-i386-tn# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:03:47:de:f2:d8
        inet6 fe80::203:47ff:fede:f2d8%fxp0 prefixlen 64 scopeid 0x2
        inet6 3ffe:501:ffff:100::200 prefixlen 64
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

fbsd72-i386-tn# ping6 -S fe80::203:47ff:fede:f2d8%fxp0 3ffe:501:ffff:100:208:9bff:fe10:73d
PING6(56=40+8+8 bytes) fe80::203:47ff:fede:f2d8%fxp0 --> 3ffe:501:ffff:100:208:9bff:fe10:73d
16 bytes from 3ffe:501:ffff:100:208:9bff:fe10:73d, icmp_seq=0 hlim=64 time=0.509 ms
16 bytes from 3ffe:501:ffff:100:208:9bff:fe10:73d, icmp_seq=1 hlim=64 time=0.209 ms
16 bytes from 3ffe:501:ffff:100:208:9bff:fe10:73d, icmp_seq=2 hlim=64 time=0.167 ms
16 bytes from 3ffe:501:ffff:100:208:9bff:fe10:73d, icmp_seq=3 hlim=64 time=0.172 ms
^C
--- 3ffe:501:ffff:100:208:9bff:fe10:73d ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.167/0.264/0.509/0.142 ms


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri May 14 08:54:45 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146534 

From: Earl Lapus <earl.lapus@gmail.com>
To: bug-followup@FreeBSD.org, earl.lapus@gmail.com
Cc:  
Subject: Re: kern/146534: [icmp6] wrong source address in echo reply
Date: Sat, 22 May 2010 14:06:45 +0800

 --001636b14d02cd6f320487289c7c
 Content-Type: text/plain; charset=ISO-8859-1
 
 Attached patch fixes the problem
 
 --001636b14d02cd6f320487289c7c
 Content-Type: application/octet-stream; name="icmp6.c.diff"
 Content-Disposition: attachment; filename="icmp6.c.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_g9i17div0
 
 SW5kZXg6IGljbXA2LmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gaWNtcDYuYwkocmV2aXNpb24gMjA4MzY5KQor
 KysgaWNtcDYuYwkod29ya2luZyBjb3B5KQpAQCAtMjE2Miw5ICsyMTYyLDE5IEBACiAJfQogCiAJ
 aWYgKChzcmNwICE9IE5VTEwpICYmIAotCSAgICAoaW42X2FkZHJzY29wZShzcmNwKSAhPSBpbjZf
 YWRkcnNjb3BlKCZpcDYtPmlwNl9zcmMpKSkKLQkJc3JjcCA9IE5VTEw7CisJICAgIChpbjZfYWRk
 cnNjb3BlKHNyY3ApICE9IGluNl9hZGRyc2NvcGUoJmlwNi0+aXA2X3NyYykpKSB7CisgICAgICAg
 ICAgICAgICAgc3RydWN0IHNvY2thZGRyX2luNiBkOwogCisgICAgICAgICAgICAgICAgYnplcm8o
 JmQsIHNpemVvZihkKSk7CisgICAgICAgICAgICAgICAgZC5zaW42X2ZhbWlseSA9IEFGX0lORVQ2
 OworICAgICAgICAgICAgICAgIGQuc2luNl9sZW4gPSBzaXplb2YoZCk7CisgICAgICAgICAgICAg
 ICAgZC5zaW42X2FkZHIgPSBvcmlnZHN0OworICAgICAgICAgICAgICAgIGlhID0gKHN0cnVjdCBp
 bjZfaWZhZGRyICopCisgICAgICAgICAgICAgICAgICAgIGlmYV9pZndpdGhhZGRyKChzdHJ1Y3Qg
 c29ja2FkZHIgKikmZCk7CisgICAgICAgICAgICAgICAgaWYgKGlhICYmIChpYS0+aWE2X2ZsYWdz
 ICYgSU42X0lGRl9BTllDQVNUKSkKKwkJICAgICAgICBzcmNwID0gTlVMTDsKKyAgICAgICAgfQor
 CiAJaWYgKHNyY3AgPT0gTlVMTCkgewogCQlpbnQgZTsKIAkJc3RydWN0IHNvY2thZGRyX2luNiBz
 aW42Owo=
 --001636b14d02cd6f320487289c7c--

From: jhell <jhell@DataIX.net>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/146534: [icmp6] wrong source address in echo reply
Date: Sat, 18 Sep 2010 16:52:21 -0400

 This is a multi-part message in MIME format.
 --------------090403020508080503040902
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 
 This PR seems to have been left behind. While it has been, I have tested
 this patch for quite some time now with no downsides noted.
 
 While this in fact fixes the noted problem, attached is a patch that
 cleans this patch up a bit.
 
 With this patch applied is correct behavior.
 
 - -- 
 
  jhell,v
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAEBAgAGBQJMlSaFAAoJEJBXh4mJ2FR+Z4MH/0zUHH/fUIfmKlg96T60A6xW
 RN/RXql2Rz/FYHzkontth2vBbSfmchNQtpgytXKG7R2qklyInwVVcLKNsJaXVfWz
 y8tpETUZLxNuYk5zhvsSS5q4JRQO3rbz1UMg9+b2VubnJ0y9OHahd/wztDCgmSDn
 f6mQU2YJtuglgixp25BJMbE/Dqh5MA1QEh1vj1lFWD5323hW2GOFFC4Mo3hgoCFA
 QqBzW9GMFoyA749d24GZvvDYa11esuU8+uiNLb5oPuBEoULdIw913NLMrZSuB2Uv
 PeDCbCUGzIa9xnCZmk6sG9HfDiZaRDPlf3q6sUuVCNCCBYikuoD4SIr/qN4ToTs=
 =knfM
 -----END PGP SIGNATURE-----
 
 --------------090403020508080503040902
 Content-Type: text/plain;
  name="sys_netinet6_icmp6.c.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="sys_netinet6_icmp6.c.patch"
 
 --- sys/netinet6/icmp6.c	(revision 210616)
 +++ sys/netinet6/icmp6.c	(working copy)
 @@ -2162,8 +2162,21 @@
  	}
  
  	if ((srcp != NULL) && 
 -	    (in6_addrscope(srcp) != in6_addrscope(&ip6->ip6_src)))
 -		srcp = NULL;
 +		(in6_addrscope(srcp) != in6_addrscope(&ip6->ip6_src))) {
 +			struct sockaddr_in6 sin6;
 + 
 +		bzero(&sin6, sizeof(sin6));
 +		sin6.sin6_family = AF_INET6;
 +		sin6.sin6_len = sizeof(sin6);
 +		sin6.sin6_addr = origdst;
 +
 +		ia = (struct in6_ifaddr *)
 +			ifa_ifwithaddr((struct sockaddr *)&sin6);
 +
 +		if (ia && (ia->ia6_flags & IN6_IFF_ANYCAST))
 +			srcp = NULL;
 +	}
 +
  
  	if (srcp == NULL) {
  		int e;
 
 --------------090403020508080503040902
 Content-Type: application/octet-stream;
  name="sys_netinet6_icmp6.c.patch.sig"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
  filename="sys_netinet6_icmp6.c.patch.sig"
 
 iQEcBAABAgAGBQJMlSaFAAoJEJBXh4mJ2FR+Qu8H/23Ge4zNAGRRdGKgcEtp4KD0eiLZ9ozq
 8GAbnBDXnH6lV/mj1d/DrFOEmcs0ApXHtjlnvox47yHaNlEJ7ESA5V1wf44rsfxN2ZZYdTFE
 5qVNsElCAZ0yAjPnBCTbeFDZKx0vq4DJz4JuHoDgb8rrQMaPUClljk/kRFB1BL6jPkau/Fsy
 f/aZlmEERrxGkMTmBtVbv8E5WTpNZ0X9hf7u+5UG0coQtFM6hnqHC07UNrm7+cqsKtlbbvBP
 k5JoUsUSjV1mUwfzy8GJD7wm9wFGotHAgEDbbax5fmNZI3gChBjK01nQWkC8k6dFR6lzO7sb
 hgoDbbEEnpgSBz5wS0p3Vl4=
 --------------090403020508080503040902--

From: jhell <jhell@DataIX.net>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/146534: [icmp6] wrong source address in echo reply
Date: Sat, 18 Sep 2010 18:59:20 -0400

 This is a multi-part message in MIME format.
 --------------090904000205030606040405
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 On 09/18/2010 16:52, jhell wrote:
 > 
 > This PR seems to have been left behind. While it has been, I have tested
 > this patch for quite some time now with no downsides noted.
 > 
 > While this in fact fixes the noted problem, attached is a patch that
 > cleans this patch up a bit.
 > 
 > With this patch applied is correct behavior.
 > 
 
 Last patch agrbled ;)
 
 New attached patch non garbled ;)
 
 -- 
 
  jhell,v
 
 --------------090904000205030606040405
 Content-Type: text/plain;
  name="sys_netinet6_icmp6.c.patch.txt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="sys_netinet6_icmp6.c.patch.txt"
 
 --- sys/netinet6/icmp6.c	(revision 210616)
 +++ sys/netinet6/icmp6.c	(working copy)
 @@ -2162,8 +2162,21 @@
  	}
  
  	if ((srcp != NULL) && 
 -	    (in6_addrscope(srcp) != in6_addrscope(&ip6->ip6_src)))
 -		srcp = NULL;
 +		(in6_addrscope(srcp) != in6_addrscope(&ip6->ip6_src))) {
 +			struct sockaddr_in6 sin6;
 + 
 +		bzero(&sin6, sizeof(sin6));
 +		sin6.sin6_family = AF_INET6;
 +		sin6.sin6_len = sizeof(sin6);
 +		sin6.sin6_addr = origdst;
 +
 +		ia = (struct in6_ifaddr *)
 +			ifa_ifwithaddr((struct sockaddr *)&sin6);
 +
 +		if (ia && (ia->ia6_flags & IN6_IFF_ANYCAST))
 +			srcp = NULL;
 +	}
 +
  
  	if (srcp == NULL) {
  		int e;
 
 --------------090904000205030606040405--
>Unformatted:
