From Jean-Luc.Richier@imag.fr  Sun Jul 14 11:04:15 2002
Return-Path: <Jean-Luc.Richier@imag.fr>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4C50237B400
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Jul 2002 11:04:15 -0700 (PDT)
Received: from imag.imag.fr (imag.imag.fr [129.88.30.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 39A2243E6D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Jul 2002 11:04:14 -0700 (PDT)
	(envelope-from Jean-Luc.Richier@imag.fr)
Received: from horus.imag.fr (horus.imag.fr [129.88.38.1])
	by imag.imag.fr (8.11.6/8.11.6) with ESMTP id g6EI4DS13493
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Jul 2002 20:04:13 +0200 (MEST)
Received: (from richier@localhost)
	by horus.imag.fr (8.11.6/8.11.6/Imag.pm.V2) id g6EI4Ct17930
	for FreeBSD-gnats-submit@freebsd.org; Sun, 14 Jul 2002 20:04:12 +0200 (MEST)
Received: from imag.imag.fr (imag.imag.fr [129.88.30.1])
	by horus.imag.fr (8.11.6/8.11.6/Imag.pm.V2) with ESMTP id g6EI3qg17917
	for <richier@horus.imag.fr>; Sun, 14 Jul 2002 20:03:52 +0200 (MEST)
Received: from luna.imag.fr (luna.imag.fr [129.88.26.80])
	by imag.imag.fr (8.11.6/8.11.6) with ESMTP id g6EI3qS13486
	for <Jean-Luc.Richier@imag.fr>; Sun, 14 Jul 2002 20:03:52 +0200 (MEST)
Received: from luna.imag.fr (localhost [127.0.0.1])
	by luna.imag.fr (8.12.3/8.12.3) with ESMTP id g6EI2aIN093341;
	Sun, 14 Jul 2002 20:02:36 +0200 (CEST)
	(envelope-from richier@horus.imag.fr)
Received: (from root@localhost)
	by luna.imag.fr (8.12.3/8.12.3/Submit) id g6EI2aUq093340;
	Sun, 14 Jul 2002 20:02:36 +0200 (CEST)
	(envelope-from richier)
Message-Id: <200207141802.g6EI2aUq093340@luna.imag.fr>
Date: Sun, 14 Jul 2002 20:02:36 +0200 (CEST)
From: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
Reply-To: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>
Subject: gif driver can clobber route/arp table
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         40563
>Category:       kern
>Synopsis:       gif driver can clobber route/arp table
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 14 11:10:01 PDT 2002
>Closed-Date:    Tue Dec 13 00:55:20 GMT 2005
>Last-Modified:  Tue Dec 13 00:55:20 GMT 2005
>Originator:     Jean-Luc Richier
>Release:        FreeBSD 4.6-RELEASE i386
>Organization:
LSR-IMAG Grenoble, France
>Environment:
System: FreeBSD luna.imag.fr 4.6-RELEASE FreeBSD 4.6-RELEASE #6: Wed Jun 12 18:55:37 GMT 2002 richier@luna.imag.fr:/usr/src/sys/compile/VLAN i386
	also FreeBSD current (June, 24 2002)
	and KAME FreeBSD (kame-20020708-freebsd46-snap.tgz)

>Description:
	If the destination of an IPv4 tunnel (gif interface) is changed
	between IPv4 and IPv6 adresses, incorrect information are set in the
	kernel/route table

>How-To-Repeat:
	Consider the folling script (GIF)
		PATH="/sbin:/usr/sbin:$PATH"
		export PATH
		ifn=gif1

		eval `ifconfig | awk '
		($1 == "inet" && !inet) { inet = $2 }
		($1 == "inet6" && !inet6 && $2 ~ /^[23].*[^:]$/) { inet6 = $2 }
		END  {  t = 0; if (inet ~ /0$/) t = 1
			dst = inet; sub(/.$/, t, dst)
			t = 0; if (inet6 ~ /0$/) t = 1
			dst6 = inet6; sub(/.$/, t, dst6)
			print "inet=" inet; print "dst=" dst
			print "inets=" inet6; print "dsts=" dst6 }'`
		ifconfig $ifn unplumb >/dev/null 2>&1
		set -x
		ifconfig $ifn create
		gifconfig $ifn inet6 $inets $dsts
		ifconfig $ifn inet6 add 5000:1::1/128 5000:2::1
		: Can be long
		ping6 -c 1 5000:2::1
		: Can be long
		ping -c 1 $dst
		gifconfig $ifn $inet $dst
		: Can be long
		ping6 -c 1 5000:2::1
		: If error there will be two entries for $dst
		arp -an

	sh GIF
        + : If error there will be two entries for 129.88.38.10
        + arp -an
        ? (129.88.38.1) at 00:03:ba:00:d5:0f on dc0 [ethernet]
        ? (129.88.38.10) at 08:00:20:82:e1:a9 on dc0 [ethernet]
        ? (129.88.38.10) at (incomplete) on dc0 [ethernet

>Fix:
	There is a missing bzero in in_gif.c - If the cached route for the
	destination adress of the tunnel is changed, some of the fields are
	modified to for the new route. But if the change is from an IPv6
	address to an IPv4 adress, all the IPv4 fields are not correct :
	the sin_zero port of the sockaddr_in struct is not cleared, 
	and therefore arp lokkup will fails (as une match in route is done
	and the 16 bytes of the sockaddr)
	This bug is not in in6_gif.c (the bzero of the route cache is done)

	To correct:
--- /sys/netinet/in_gif.c.DIST	Sun Apr 28 07:40:26 2002
+++ /sys/netinet/in_gif.c	Thu May 23 17:21:49 2002
@@ -167,6 +167,7 @@
 	if (dst->sin_family != sin_dst->sin_family ||
 	    dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) {
 		/* cache route doesn't match */
+		bzero(dst, sizeof(*dst));
 		dst->sin_family = sin_dst->sin_family;
 		dst->sin_len = sizeof(struct sockaddr_in);
 		dst->sin_addr = sin_dst->sin_addr;

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Fri Jun 18 01:57:19 GMT 2004 
Responsible-Changed-Why:  
I'll take this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40563 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Fri Jun 18 02:04:10 GMT 2004 
State-Changed-Why:  
An appropriate fix has been committed to -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40563 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Tue Dec 13 00:54:58 UTC 2005 
State-Changed-Why:  
-CURRENT is now -STABLE 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40563 
>Unformatted:
