From volf@oasis.IAEhv.nl  Sat Aug 26 18:30:18 2000
Return-Path: <volf@oasis.IAEhv.nl>
Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4])
	by hub.freebsd.org (Postfix) with ESMTP id 785BA37B424
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Aug 2000 18:30:17 -0700 (PDT)
Received: (from uucp@localhost)
	by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id DAA21466
	for FreeBSD-gnats-submit@freebsd.org; Sun, 27 Aug 2000 03:30:16 +0200 (MET DST)
Received: from avalon.oasis.IAEhv.nl (avalon.oasis.IAEhv.nl [192.168.1.3])
	by drawbridge.oasis.IAEhv.nl (Postfix) with ESMTP id 327493E42
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Aug 2000 03:29:14 +0200 (CEST)
Received: by avalon.oasis.IAEhv.nl (Postfix, from userid 226)
	id B2DF93D; Sun, 27 Aug 2000 03:29:13 +0200 (CEST)
Message-Id: <20000827012913.B2DF93D@avalon.oasis.IAEhv.nl>
Date: Sun, 27 Aug 2000 03:29:13 +0200 (CEST)
From: volf@oasis.IAEhv.nl
Reply-To: volf@oasis.IAEhv.nl
To: FreeBSD-gnats-submit@freebsd.org
Cc: volf@oasis.IAEhv.nl
Subject: ICMP error msg on UDP port unreachable is incorrect 
X-Send-Pr-Version: 3.2

>Number:         20877
>Category:       kern
>Synopsis:       ICMP error msg on UDP port unreachable is incorrect
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 26 18:40:01 PDT 2000
>Closed-Date:    Sun Aug 27 08:34:02 PDT 2000
>Last-Modified:  Wed Aug 30 01:43:56 PDT 2000
>Originator:     Frank Volf
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
/etc/organization
>Environment:
>Description:

When a UDP packet is send to a port that is unreachable (which is a common 
feature used in e.g. traceroute) an ICMP error message is returned (icmp 
port unreachable) which includes (part of) the original IP packet.

The problem is that this (part of) the original IP packet is not completely
correct. The ip_id field is not in network byte order (in ip_input(), ip_id
is translated to host byte order), but this is never reverted before the
IP packet is send to icmp_error for generation of the ICMP error message.
The following patch (relative to 4.1 stable source code) fixes the problem:

Index: udp_usrreq.c
===================================================================
RCS file: /home2/CVS/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.64.2.3
diff -u -u -r1.64.2.3 udp_usrreq.c
--- udp_usrreq.c	2000/08/03 00:09:36	1.64.2.3
+++ udp_usrreq.c	2000/08/27 01:02:35
@@ -358,8 +358,10 @@
 		if (badport_bandlim(0) < 0)
 			goto bad;
 #endif
-		if (!blackhole)
+		if (!blackhole) {
+			HTONS(ip->ip_id);
 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
+		}
 		else
 			goto bad;
 		return;


Please commit this patch to the FreeBSD source code repository.

Many thanks,

               Frank


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Sun Aug 27 08:34:02 PDT 2000 
State-Changed-Why:  
Duplicate of PR 16240. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20877 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: volf@oasis.iaehv.nl (Frank Volf)
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect 
Date: Mon, 28 Aug 2000 11:42:39 +0200

 On Sun, 27 Aug 2000 19:45:22 +0200, Frank Volf wrote:
 
 > I disagree with the fact that you simply close this pr as being a duplicate
 > case of PR 16240.
 > 
 > PR 16240 tries to address the generic problem, which is indeed present in 
 > many network implementations and may or maynot be difficult to fix.
 
 Do you not agree that the resolution to PR 16240 will resolve PR 20877
 as a side-effect?
 
 I know that we're not altogether keen on applying hack-arounds for more
 general problems unless the more general problems can't be resolved in
 the foreseeable future.
 
 Ciao,
 Sheldon.
 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Frank Volf <volf@oasis.IAEhv.nl>
Cc: bug-followup@FreeBSD.org, Garrett Wollman <wollman@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Mon, 28 Aug 2000 19:46:47 +0300

 --EeQfGwPcQSOJBaQU
 Content-Type: text/plain; charset=us-ascii
 
 On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote:
 > 
 > I disagree with the fact that you simply close this pr as being a duplicate
 > case of PR 16240.
 > 
 > PR 16240 tries to address the generic problem, which is indeed present in 
 > many network implementations and may or maynot be difficult to fix.
 > 
 > Here, a very simple patch is presented for a special instance of 16240 
 > (an instance that occurs a lot, e.g. using udp based tracerouted). I see no
 > reason why this patch cannot be applied to FreeBSD.
 > 
 The reason is simple -- your patch is wrong and incomplete.
 
 > If there *are* issues that I overlooked I would like to hear about them, 
 > and have them properly discussed.
 > 
 You overlooked (amongst other things) that ip_off field is also vulnerable.
 
 The basic idea is that all IP header fields SHOULD BE in host byte order
 right after the start of ip_input(), and ip_output() converts them back
 to network byte order.  So in icmp_error() the bytes should still be in
 host byte order, this is even implied by the following piece of code:
 
         /*
          * Don't send error if not the first fragment of message.
          * Don't error if the old packet protocol was ICMP
          * error message, only known informational types.
          */
         if (oip->ip_off &~ (IP_MF|IP_DF))
                 goto freeit;
 
 
 Attached is the patch that fixes part of problems with ICMP error generation.
 It could be applied to both 5.0-CURRENT and 4.1-STABLE.  This patch is still
 incomplete, it misses the ip_output() portion of fixes.  I will develop and
 test the remaining bits tomorrow and commit it along with this patch.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
 --EeQfGwPcQSOJBaQU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename=p
 
 Index: ip_icmp.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 retrieving revision 1.43
 diff -u -p -r1.43 ip_icmp.c
 --- ip_icmp.c	2000/06/02 20:18:38	1.43
 +++ ip_icmp.c	2000/08/28 16:28:41
 @@ -191,7 +191,14 @@ icmp_error(n, type, code, dest, destifp)
  	icp->icmp_code = code;
  	bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen);
  	nip = &icp->icmp_ip;
 -	nip->ip_len = htons((u_short)(nip->ip_len + oiplen));
 +	nip->ip_len += oiplen;
 +
 +	/*
 +	 * Convert fields to network representation.
 +	 */
 +	HTONS(nip->ip_len);
 +	HTONS(nip->ip_id);
 +	HTONS(nip->ip_off);
  
  	/*
  	 * Now, copy old ip header (without options)
 Index: ip_input.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v
 retrieving revision 1.138
 diff -u -p -r1.138 ip_input.c
 --- ip_input.c	2000/07/31 23:41:47	1.138
 +++ ip_input.c	2000/08/28 16:28:41
 @@ -1496,7 +1496,6 @@ ip_forward(m, srcrt)
  		m_freem(m);
  		return;
  	}
 -	HTONS(ip->ip_id);
  #ifdef IPSTEALTH
  	if (!ipstealth) {
  #endif
 
 --EeQfGwPcQSOJBaQU--
 

From: volf@oasis.IAEhv.nl (Frank Volf)
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: Frank Volf <volf@oasis.IAEhv.nl>,
	freebsd-gnats-submit@freebsd.org
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Mon, 28 Aug 2000 23:59:50 +0200 (CEST)

 Sheldon Hearn wrote:
 > 
 > On Sun, 27 Aug 2000 19:45:22 +0200, Frank Volf wrote:
 > 
 > > I disagree with the fact that you simply close this pr as being a duplicate
 > > case of PR 16240.
 > > 
 > > PR 16240 tries to address the generic problem, which is indeed present in 
 > > many network implementations and may or maynot be difficult to fix.
 > 
 > Do you not agree that the resolution to PR 16240 will resolve PR 20877
 > as a side-effect?
 
 Yes, I agree. But the impression that I got from PR 16240 is, that the 
 general problem is too difficult to solve and I got the feeling that it
 would not be solved at all....
 
 The reason that I want this fixed are twofold:
 
 1) OS finger printing. Because FreeBSD returns the wrong data, you can 
    use that information to
 2) I'm working on fixing a bug in IP-Filter that has to do with NAT and ICMP 
    error messages associated with the NAT-ed connection. However, before I
    can fix that, I must first make sure that the host OS behaves properly :-)
 
 > I know that we're not altogether keen on applying hack-arounds for more
 > general problems unless the more general problems can't be resolved in
 > the foreseeable future.
 
 If someone is going to tackle the generic problem, that would be great. But,
 then you should say: hey we are working on fixing the general case so we
 are closing your PR....
 
 Frank
 
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: volf@oasis.iaehv.nl (Frank Volf)
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect 
Date: Tue, 29 Aug 2000 00:09:04 +0200

 On Mon, 28 Aug 2000 23:59:50 +0200, Frank Volf wrote:
 
 > If someone is going to tackle the generic problem, that would be great. But,
 > then you should say: hey we are working on fixing the general case so we
 > are closing your PR....
 
 You'll find that there are people even more qualified to criticise the
 way the PR database is handled, namely the volunteers who handle it. 
 For example, check this out... ;-)
 
 You're quite right.  Your PR could definitely have been closed with a
 message better geared toward putting you at ease.
 
 Now...
 
 All we can really offer you as consolation is that there are lots of
 PRs and not as many people working on them.  So if we can at least
 limit the database to one PR per problem, the folks doing the work of
 tackling problems are more likely to find their investment of time
 paying wortwhile dividends.
 
 So please try to be understanding of the volunteers who do what they can
 to ensure that FreeBSD works as well as possible for as many people as
 possible.  Even when we make mistakes while doing so. :-)
 
 Ciao,
 Sheldon.
 

From: volf@oasis.IAEhv.nl (Frank Volf)
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: Frank Volf <volf@oasis.IAEhv.nl>, bug-followup@FreeBSD.org,
	Garrett Wollman <wollman@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Tue, 29 Aug 2000 00:17:04 +0200 (CEST)

 Ruslan Ermilov wrote:
 > On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote:
 > > 
 > > I disagree with the fact that you simply close this pr as being a duplicate
 > > case of PR 16240.
 > > 
 > > PR 16240 tries to address the generic problem, which is indeed present in 
 > > many network implementations and may or maynot be difficult to fix.
 > > 
 > > Here, a very simple patch is presented for a special instance of 16240 
 > > (an instance that occurs a lot, e.g. using udp based tracerouted). I see no
 > > reason why this patch cannot be applied to FreeBSD.
 > > 
 > The reason is simple -- your patch is wrong and incomplete.
 
 I agree that I overlooked the ip_off part. At the place where I inserted my
 patch the packet is reassambled so ip_off must be zero. But I forgot about
 the MF and DF flags that could be set, and therefore my patch does not work
 for that case. Sorry for that.
 
 I'll try your patch and see how it works.
 
 Thanks,
 
              Frank
 
 

From: volf@oasis.IAEhv.nl (Frank Volf)
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: Frank Volf <volf@oasis.IAEhv.nl>,
	freebsd-gnats-submit@freebsd.org
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Tue, 29 Aug 2000 00:34:03 +0200 (CEST)

 Sheldon,
 
 I know everything about the huge effort that an organization needs to make
 to handle the problems of its users (I'm working far too long in that
 area.... :-).
 
 I know that FreeBSD volunteers put in a huge effort to help everybody out,
 so no problem their either.
 
 I just had the feeling that I might not be taken seriously. While, in my
 opinion, the people that are willing to make PR's are often the people that
 care about FreeBSD!
 
 But never mind, I think we have things on the road now, and we will be able
 to tackle this problem once and for all!
 
 Frank
 
 
 
 

From: volf@oasis.IAEhv.nl (Frank Volf)
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: Frank Volf <volf@oasis.IAEhv.nl>, bug-followup@FreeBSD.org,
	Garrett Wollman <wollman@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Tue, 29 Aug 2000 01:03:44 +0200 (CEST)

 Ruslan,
 
 I verified your patch, and it seems to work for udp based traceroutes. 
 I do have two questions though:
 
 1) You might have broken ipfw, ipfilter and possibly other packet filtering
    systems that are called in ip_input(); if they use icmp_error() and they
    did the right thing (fixing ip_id e.a) then they do now the wrong thing
    :-)
 
 2) I do not understand why you remove HTONS(ip->ip_id) from ip_forward().
    I have the feeling, without being able to pin point it, that you have
    broken something: because now you change the ip_id for every ip packet
    that goes through ip_forward()! If this was not broken before it must
    be broken now (or I must get some sleep....).
 
 Frank
 
 
 
 
 Ruslan Ermilov wrote:
 > On Sun, Aug 27, 2000 at 07:45:22PM +0200, Frank Volf wrote:
 > > 
 > > I disagree with the fact that you simply close this pr as being a duplicate
 > > case of PR 16240.
 > > 
 > > PR 16240 tries to address the generic problem, which is indeed present in 
 > > many network implementations and may or maynot be difficult to fix.
 > > 
 > > Here, a very simple patch is presented for a special instance of 16240 
 > > (an instance that occurs a lot, e.g. using udp based tracerouted). I see no
 > > reason why this patch cannot be applied to FreeBSD.
 > > 
 > The reason is simple -- your patch is wrong and incomplete.
 > 
 > > If there *are* issues that I overlooked I would like to hear about them, 
 > > and have them properly discussed.
 > > 
 > You overlooked (amongst other things) that ip_off field is also vulnerable.
 > 
 > The basic idea is that all IP header fields SHOULD BE in host byte order
 > right after the start of ip_input(), and ip_output() converts them back
 > to network byte order.  So in icmp_error() the bytes should still be in
 > host byte order, this is even implied by the following piece of code:
 > 
 >         /*
 >          * Don't send error if not the first fragment of message.
 >          * Don't error if the old packet protocol was ICMP
 >          * error message, only known informational types.
 >          */
 >         if (oip->ip_off &~ (IP_MF|IP_DF))
 >                 goto freeit;
 > 
 > 
 > Attached is the patch that fixes part of problems with ICMP error generation.
 > It could be applied to both 5.0-CURRENT and 4.1-STABLE.  This patch is still
 > incomplete, it misses the ip_output() portion of fixes.  I will develop and
 > test the remaining bits tomorrow and commit it along with this patch.
 > 
 > 
 > Cheers,
 > -- 
 > Ruslan Ermilov		Oracle Developer/DBA,
 > ru@sunbay.com		Sunbay Software AG,
 > ru@FreeBSD.org		FreeBSD committer,
 > +380.652.512.251	Simferopol, Ukraine
 > 
 > http://www.FreeBSD.org	The Power To Serve
 > http://www.oracle.com	Enabling The Information Age
 
 [ Attachment, skipping... ]
 
 
 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Frank Volf <volf@oasis.IAEhv.nl>
Cc: bug-followup@FreeBSD.org, Garrett Wollman <wollman@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>
Subject: Re: kern/20877: ICMP error msg on UDP port unreachable is incorrect
Date: Tue, 29 Aug 2000 10:49:06 +0300

 On Tue, Aug 29, 2000 at 01:03:44AM +0200, Frank Volf wrote:
 > 
 > Ruslan,
 > 
 > I verified your patch, and it seems to work for udp based traceroutes. 
 > I do have two questions though:
 > 
 > 1) You might have broken ipfw, ipfilter and possibly other packet filtering
 >    systems that are called in ip_input(); if they use icmp_error() and they
 >    did the right thing (fixing ip_id e.a) then they do now the wrong thing
 >    :-)
 > 
 No they do not "fix" it, and so they were broken as well.  It could be checked
 by putting the following ipfw(8) rule:
 
 ipfw add 10 unreach host ip from foo to bar
 
 > 2) I do not understand why you remove HTONS(ip->ip_id) from ip_forward().
 >    I have the feeling, without being able to pin point it, that you have
 >    broken something: because now you change the ip_id for every ip packet
 >    that goes through ip_forward()! If this was not broken before it must
 >    be broken now (or I must get some sleep....).
 > 
 Because HTONS(ip->ip_id) has migrated to icmp_error() where it should be.
 Try `traceroute -m1 1.2.3.4' via FreeBSD router from one-hop-away host.
 
 BTW NetBSD had this bug fixed since January 1999 in a similar fashion.
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Wed Aug 30 01:42:49 PDT 2000 
Responsible-Changed-Why:  
Prevent people from committing incomplete changes 
while I am working on a proper patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20877 
>Unformatted:
