From nobody@FreeBSD.org  Thu May 19 21:53:57 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C8B5106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 May 2011 21:53:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4D15A8FC1F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 May 2011 21:53:57 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4JLrvbM004173
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 May 2011 21:53:57 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p4JLrvtH004172;
	Thu, 19 May 2011 21:53:57 GMT
	(envelope-from nobody)
Message-Id: <201105192153.p4JLrvtH004172@red.freebsd.org>
Date: Thu, 19 May 2011 21:53:57 GMT
From: Peter Losher <plosher@isc.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: libpcap 
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: wxs@FreeBSD.org

>Number:         157188
>Category:       kern
>Synopsis:       [libpcap] [patch] incorporate patch from upstream
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 19 22:00:27 UTC 2011
>Closed-Date:    Tue Jul 12 01:17:10 UTC 2011
>Last-Modified:  Tue Jul 12 01:20:14 UTC 2011
>Originator:     Peter Losher
>Release:        8.2-RELEASE
>Organization:
Internet Systems Consortium
>Environment:
FreeBSD freebsd8.lab.isc.org 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
One of our engineers @ISC discovered that there is a bug in the currently
released version of libpcap (in base and in ports) that can be triggered
when using an "ip6 protochain" filter.  It's due to the fairly complicated
BPF bytecode that libpcap generates for IPv6 header chasing combined with
a sign extension bug when processing JA (jump absolute) opcodes.  (JA is
used to go backwards and without sign extension on 64 bit platforms the
BPF interpreter incorrectly jumps forward... a lot.)

>How-To-Repeat:
root@freebsd8:~# tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58'
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
Segmentation fault: 11 (core dumped)

>Fix:
There is a fix in the libpcap repository:

https://github.com/mcr/libpcap/commit/ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7

but the tcpdump-workers have been pretty tardy about putting out newer
code, so it sits there stalled.

With the patch applied, it all works well and you should see something
like this:

-=-
$ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58' 
reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet)
18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6, multicast listener queryv2  [gaddr ::], length 28
-=-

>Release-Note:
>Audit-Trail:

From: Jason Hellenthal <jhell@DataIX.net>
To: Peter Losher <plosher@isc.org>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/157188: libpcap
Date: Sat, 21 May 2011 14:59:53 -0400

 --Qbvjkv9qwOGw/5Fx
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 
 Peter, Bugs Users,
 
 I have went through the sources on stable/8 and generated a patch that
 brings all the bpf_filter.c code up-to-date with this change. If anyone
 would like to test it out or needs this change I have uploaded it here.
 
 http://patches.jhell.googlecode.com/hg/libpcap_sign-extend-ja.patch
 
 Because 9-CURRENT is a different monster using libpcap 1.1 someone will
 obviously have to adjust the patch accordingly.
 
 --=20
 
  Regards, (jhell)
  Jason Hellenthal
 
 
 --Qbvjkv9qwOGw/5Fx
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.17 (FreeBSD)
 Comment: http://bit.ly/0x89D8547E
 
 iQEcBAEBAgAGBQJN2AupAAoJEJBXh4mJ2FR+wX4H/jB1J7NGuQ/F7DaepDyCkQ12
 /Cjsk6ELXv4wtMMZ0YEieqB0hjbRJ+8MSwOLjZ/eOplhxA2mDOzzK2HPNpDsyWHx
 SuX5pEI+F5qyMiDnBOqIrns5Xy98F9TjvBf0DnWd8GLQHXdRxhU1ESxsrVcxAF/2
 7ulsp0NH6RaoLpDJDax7Ou7zYKYVyjo0kPEsL8q+5fBA74eeIKerpeetlfdngxqd
 t6VLRuSfW8U+D1C3zPjBeDl0nqcDKMRxR0wkPK8AGZ+TWYs016pKlBADSGDslJVN
 wHC0ctKt5tu4m1MW5hbFw3XYIfTrfNcF2Keaz8FFeQIe9dpVJL6pyDXxlZdGrJA=
 =cTdu
 -----END PGP SIGNATURE-----
 
 --Qbvjkv9qwOGw/5Fx--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157188: commit references a PR
Date: Sun, 22 May 2011 17:15:31 +0000 (UTC)

 wxs         2011-05-22 17:15:21 UTC
 
   FreeBSD ports repository
 
   Modified files:
     net/libpcap          Makefile 
   Added files:
     net/libpcap/files    patch-bpf__net__bpf_filter.c 
   Log:
   Bring in commit ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7 from upstream.
   This fixes a crash when using 'ip6 protochain' filters.
   
   PR:             kern/157188
   Submitted by:   plosher@
   
   Revision  Changes    Path
   1.24      +1 -0      ports/net/libpcap/Makefile
   1.1       +21 -0     ports/net/libpcap/files/patch-bpf__net__bpf_filter.c (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Tue Jun 28 00:58:18 UTC 2011 
State-Changed-Why:  
Patch applied against -HEAD. 


Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Jun 28 00:58:18 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157188 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157188: commit references a PR
Date: Tue, 28 Jun 2011 00:58:20 +0000 (UTC)

 Author: delphij
 Date: Tue Jun 28 00:58:12 2011
 New Revision: 223616
 URL: http://svn.freebsd.org/changeset/base/223616
 
 Log:
   Incorporate vendor commit ecdc5c0a7f7591a7cd4a:
   
   In userland, sign extend the offset for JA instructions.
   
   We currently use that to implement "ip6 protochain", and "pc" might be
   wider than "pc->k", in which case we need to arrange that "pc->k" be
   sign-extended, by casting it to bpf_int32.
   
   PR:		kern/157188
   Submitted by:	plosher
   MFC after:	2 weeks
 
 Modified:
   head/contrib/libpcap/bpf/net/bpf_filter.c
 
 Modified: head/contrib/libpcap/bpf/net/bpf_filter.c
 ==============================================================================
 --- head/contrib/libpcap/bpf/net/bpf_filter.c	Tue Jun 28 00:01:55 2011	(r223615)
 +++ head/contrib/libpcap/bpf/net/bpf_filter.c	Tue Jun 28 00:58:12 2011	(r223616)
 @@ -405,7 +405,18 @@ bpf_filter(pc, p, wirelen, buflen)
  			continue;
  
  		case BPF_JMP|BPF_JA:
 +#if defined(KERNEL) || defined(_KERNEL)
 +			/*
 +			 * No backward jumps allowed.
 +			 */
  			pc += pc->k;
 +#else
 +			/*
 +			 * XXX - we currently implement "ip6 protochain"
 +			 * with backward jumps, so sign-extend pc->k.
 +			 */
 +			pc += (bpf_int32)pc->k;
 +#endif
  			continue;
  
  		case BPF_JMP|BPF_JGT|BPF_K:
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Jul 12 01:16:51 UTC 2011 
State-Changed-Why:  
MFC'ed to RELENG_8, thanks for your submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157188 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/157188: commit references a PR
Date: Tue, 12 Jul 2011 01:16:58 +0000 (UTC)

 Author: delphij
 Date: Tue Jul 12 01:16:43 2011
 New Revision: 223941
 URL: http://svn.freebsd.org/changeset/base/223941
 
 Log:
   MFC r223616:
   
   Incorporate vendor commit ecdc5c0a7f7591a7cd4a:
   
   In userland, sign extend the offset for JA instructions.
   
   We currently use that to implement "ip6 protochain", and "pc" might be
   wider than "pc->k", in which case we need to arrange that "pc->k" be
   sign-extended, by casting it to bpf_int32.
   
   PR:		kern/157188
   Submitted by:	plosher
 
 Modified:
   stable/8/contrib/libpcap/bpf/net/bpf_filter.c
 Directory Properties:
   stable/8/contrib/libpcap/   (props changed)
 
 Modified: stable/8/contrib/libpcap/bpf/net/bpf_filter.c
 ==============================================================================
 --- stable/8/contrib/libpcap/bpf/net/bpf_filter.c	Tue Jul 12 00:31:11 2011	(r223940)
 +++ stable/8/contrib/libpcap/bpf/net/bpf_filter.c	Tue Jul 12 01:16:43 2011	(r223941)
 @@ -396,7 +396,18 @@ bpf_filter(pc, p, wirelen, buflen)
  			continue;
  
  		case BPF_JMP|BPF_JA:
 +#if defined(KERNEL) || defined(_KERNEL)
 +			/*
 +			 * No backward jumps allowed.
 +			 */
  			pc += pc->k;
 +#else
 +			/*
 +			 * XXX - we currently implement "ip6 protochain"
 +			 * with backward jumps, so sign-extend pc->k.
 +			 */
 +			pc += (bpf_int32)pc->k;
 +#endif
  			continue;
  
  		case BPF_JMP|BPF_JGT|BPF_K:
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
