From nobody@FreeBSD.org  Wed Oct 12 07:54:14 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 48D9916A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 12 Oct 2005 07:54:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1703843D46
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 12 Oct 2005 07:54:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j9C7sD7B098624
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 12 Oct 2005 07:54:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j9C7sDOZ098623;
	Wed, 12 Oct 2005 07:54:13 GMT
	(envelope-from nobody)
Message-Id: <200510120754.j9C7sDOZ098623@www.freebsd.org>
Date: Wed, 12 Oct 2005 07:54:13 GMT
From: Rickard Lind <rickard.lind@ntier.se>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IP_PORTRANGE_HIGH causes bad UDP checksum
X-Send-Pr-Version: www-2.3

>Number:         87306
>Category:       kern
>Synopsis:       IP_PORTRANGE_HIGH causes bad UDP checksum
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 12 08:00:22 GMT 2005
>Closed-Date:    Fri Nov 04 18:38:00 GMT 2005
>Last-Modified:  Fri Nov 04 18:38:00 GMT 2005
>Originator:     Rickard Lind
>Release:        5.4
>Organization:
NTier Solutions
>Environment:
FreeBSD nevermind 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8 10:21:06 UTC 2005     root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Due to a mixup of two fields, setting the socket option IP_PORTRANGE_HIGH on a UDP socket in order to bind a high (random) port affects the checksum calculation such that the resulting checksum is incorrect.
>How-To-Repeat:
Create a UDP (SOCK_DGRAM) socket. Set the IP_PORTRANGE_HIGH socket option. Bind with a zero port. Send some data to another host. Ethereal on the receiveing host reports the UDP checksum as incorrect.
>Fix:
The problem is that the flag INP_ONESBCAST has the same value (0x10) as the flag INP_HIGHPORT in sys/netinet/in_pcb.h, and INP_ONESBCAST is tested against the inp_flags field (in sys/netinet/udp_usrreq.c and sys/netinet/raw_ip.c) when it SHOULD be tested against the inp_vflag field. This causes the checksum calculation on line 867 in udp_usrreq.c to use the broadcast address leading to an incorrect checksum.
>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: bms@freebsd.org
Cc: Rickard Lind <rickard.lind@ntier.se>, bug-followup@freebsd.org
Subject: Re: kern/87306: IP_PORTRANGE_HIGH causes bad UDP checksum
Date: Wed, 12 Oct 2005 12:41:06 +0400 (MSD)

 > >Description:
 > Due to a mixup of two fields, setting the socket option
 > IP_PORTRANGE_HIGH on a UDP socket in order to bind a high (random)
 > port affects the checksum calculation such that the resulting
 > checksum is incorrect.
 > >How-To-Repeat:
 > Create a UDP (SOCK_DGRAM) socket. Set the IP_PORTRANGE_HIGH socket
 > option. Bind with a zero port. Send some data to another host.
 > Ethereal on the receiveing host reports the UDP checksum as
 > incorrect.
 > >Fix:
 > The problem is that the flag INP_ONESBCAST has the same value (0x10)
 > as the flag INP_HIGHPORT in sys/netinet/in_pcb.h, and INP_ONESBCAST
 > is tested against the inp_flags field (in sys/netinet/udp_usrreq.c
 > and sys/netinet/raw_ip.c) when it SHOULD be tested against the
 > inp_vflag field. This causes the checksum calculation on line 867 in
 > udp_usrreq.c to use the broadcast address leading to an incorrect
 > checksum.
 
 Ricard, it seems you analysis is correct.  Thanks for the high quality
 bug report!
 
 Bruce, what is your opinion?
 
 Index: raw_ip.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v
 retrieving revision 1.154
 diff -u -r1.154 raw_ip.c
 --- raw_ip.c	4 Oct 2005 18:19:21 -0000	1.154
 +++ raw_ip.c	12 Oct 2005 08:32:15 -0000
 @@ -316,7 +316,7 @@
  		ipstat.ips_rawout++;
  	}
 
 -	if (inp->inp_flags & INP_ONESBCAST)
 +	if (inp->inp_vflags & INP_ONESBCAST)
  		flags |= IP_SENDONES;
 
  #ifdef MAC
 Index: udp_usrreq.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v
 retrieving revision 1.177
 diff -u -r1.177 udp_usrreq.c
 --- udp_usrreq.c	26 Sep 2005 20:25:16 -0000	1.177
 +++ udp_usrreq.c	12 Oct 2005 08:32:31 -0000
 @@ -860,14 +860,14 @@
  		ipflags |= IP_ROUTETOIF;
  	if (inp->inp_socket->so_options & SO_BROADCAST)
  		ipflags |= IP_ALLOWBROADCAST;
 -	if (inp->inp_flags & INP_ONESBCAST)
 +	if (inp->inp_vflags & INP_ONESBCAST)
  		ipflags |= IP_SENDONES;
 
  	/*
  	 * Set up checksum and output datagram.
  	 */
  	if (udpcksum) {
 -		if (inp->inp_flags & INP_ONESBCAST)
 +		if (inp->inp_vflags & INP_ONESBCAST)
  			faddr.s_addr = INADDR_BROADCAST;
  		ui->ui_sum = in_pseudo(ui->ui_src.s_addr, faddr.s_addr,
  		    htons((u_short)len + sizeof(struct udphdr) + IPPROTO_UDP));
 %%%
 
 -- 
 Maxim Konovalov

From: Bruce M Simpson <bms@spc.org>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: Rickard Lind <rickard.lind@ntier.se>, bug-followup@freebsd.org
Subject: Re: kern/87306: IP_PORTRANGE_HIGH causes bad UDP checksum
Date: Wed, 12 Oct 2005 09:49:38 +0100

 On Wed, Oct 12, 2005 at 12:41:06PM +0400, Maxim Konovalov wrote:
 > Ricard, it seems you analysis is correct.  Thanks for the high quality
 > bug report!
 > Bruce, what is your opinion?
 
 Looks good to go in.
 
 BMS
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Wed Oct 12 18:16:43 GMT 2005 
State-Changed-Why:  
Fixed in HEAD. Thanks for the report! 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Wed Oct 12 18:16:43 GMT 2005 
Responsible-Changed-Why:  
Fixed in HEAD. Thanks for the report! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=87306 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Nov 4 18:37:30 GMT 2005 
State-Changed-Why:  
Fixed in RELENG_6.  Thanks again! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=87306 
>Unformatted:
