One of our engineers @ISC discovered that there is a bug in the currently released version of libpcap (in base and in ports) that can be triggered when using an "ip6 protochain" filter. It's due to the fairly complicated BPF bytecode that libpcap generates for IPv6 header chasing combined with a sign extension bug when processing JA (jump absolute) opcodes. (JA is used to go backwards and without sign extension on 64 bit platforms the BPF interpreter incorrectly jumps forward... a lot.) Fix: There is a fix in the libpcap repository: https://github.com/mcr/libpcap/commit/ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7 but the tcpdump-workers have been pretty tardy about putting out newer code, so it sits there stalled. With the patch applied, it all works well and you should see something like this: -=- $ tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58' reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet) 18:43:07.098489 IP6 fe80::208:7dff:feb7:2cca > ff02::1: HBH ICMP6, multicast listener queryv2 [gaddr ::], length 28 -=- How-To-Repeat: root@freebsd8:~# tcpdump -nr ip6-hopbyhop-icmp.pcap 'ip6 protochain 58' reading from file ip6-hopbyhop-icmp.pcap, link-type EN10MB (Ethernet) Segmentation fault: 11 (core dumped)
Peter, Bugs Users, I have went through the sources on stable/8 and generated a patch that brings all the bpf_filter.c code up-to-date with this change. If anyone would like to test it out or needs this change I have uploaded it here. http://patches.jhell.googlecode.com/hg/libpcap_sign-extend-ja.patch Because 9-CURRENT is a different monster using libpcap 1.1 someone will obviously have to adjust the patch accordingly. -- Regards, (jhell) Jason Hellenthal
wxs 2011-05-22 17:15:21 UTC FreeBSD ports repository Modified files: net/libpcap Makefile Added files: net/libpcap/files patch-bpf__net__bpf_filter.c Log: Bring in commit ecdc5c0a7f7591a7cd4aff696e42757c677fbbf7 from upstream. This fixes a crash when using 'ip6 protochain' filters. PR: kern/157188 Submitted by: plosher@ Revision Changes Path 1.24 +1 -0 ports/net/libpcap/Makefile 1.1 +21 -0 ports/net/libpcap/files/patch-bpf__net__bpf_filter.c (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Patch applied against -HEAD.
Responsible Changed From-To: freebsd-bugs->delphij Take.
Author: delphij Date: Tue Jun 28 00:58:12 2011 New Revision: 223616 URL: http://svn.freebsd.org/changeset/base/223616 Log: Incorporate vendor commit ecdc5c0a7f7591a7cd4a: In userland, sign extend the offset for JA instructions. We currently use that to implement "ip6 protochain", and "pc" might be wider than "pc->k", in which case we need to arrange that "pc->k" be sign-extended, by casting it to bpf_int32. PR: kern/157188 Submitted by: plosher MFC after: 2 weeks Modified: head/contrib/libpcap/bpf/net/bpf_filter.c Modified: head/contrib/libpcap/bpf/net/bpf_filter.c ============================================================================== --- head/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 00:01:55 2011 (r223615) +++ head/contrib/libpcap/bpf/net/bpf_filter.c Tue Jun 28 00:58:12 2011 (r223616) @@ -405,7 +405,18 @@ bpf_filter(pc, p, wirelen, buflen) continue; case BPF_JMP|BPF_JA: +#if defined(KERNEL) || defined(_KERNEL) + /* + * No backward jumps allowed. + */ pc += pc->k; +#else + /* + * XXX - we currently implement "ip6 protochain" + * with backward jumps, so sign-extend pc->k. + */ + pc += (bpf_int32)pc->k; +#endif continue; case BPF_JMP|BPF_JGT|BPF_K: _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed MFC'ed to RELENG_8, thanks for your submission!
Author: delphij Date: Tue Jul 12 01:16:43 2011 New Revision: 223941 URL: http://svn.freebsd.org/changeset/base/223941 Log: MFC r223616: Incorporate vendor commit ecdc5c0a7f7591a7cd4a: In userland, sign extend the offset for JA instructions. We currently use that to implement "ip6 protochain", and "pc" might be wider than "pc->k", in which case we need to arrange that "pc->k" be sign-extended, by casting it to bpf_int32. PR: kern/157188 Submitted by: plosher Modified: stable/8/contrib/libpcap/bpf/net/bpf_filter.c Directory Properties: stable/8/contrib/libpcap/ (props changed) Modified: stable/8/contrib/libpcap/bpf/net/bpf_filter.c ============================================================================== --- stable/8/contrib/libpcap/bpf/net/bpf_filter.c Tue Jul 12 00:31:11 2011 (r223940) +++ stable/8/contrib/libpcap/bpf/net/bpf_filter.c Tue Jul 12 01:16:43 2011 (r223941) @@ -396,7 +396,18 @@ bpf_filter(pc, p, wirelen, buflen) continue; case BPF_JMP|BPF_JA: +#if defined(KERNEL) || defined(_KERNEL) + /* + * No backward jumps allowed. + */ pc += pc->k; +#else + /* + * XXX - we currently implement "ip6 protochain" + * with backward jumps, so sign-extend pc->k. + */ + pc += (bpf_int32)pc->k; +#endif continue; case BPF_JMP|BPF_JGT|BPF_K: _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"