[14923] in Athena Bugs
Re: sun4 8.0J: ping segfaults
daemon@ATHENA.MIT.EDU (John Hawkinson)
Thu Jan 23 09:02:20 1997
Date: Thu, 23 Jan 1997 14:02:16 GMT
To: Derek Atkins <warlord@MIT.EDU>
Cc: bugs@MIT.EDU
In-Reply-To: "[14922] in Athena Bugs"
From: John Hawkinson <jhawk@MIT.EDU>
} What's wrong:
} ping segfaults:
}
} Ready> ping -s www.irs.ustreas.gov
} PING www.irs.ustreas.gov: 56 data bytes
} Segmentation fault
} Ready> where ping
Sun BugID 1219682.
Fixed by patches:
103297 SunOS 4.1.4: ping dumps core when packet is blocked
103699 SunOS 5.5.1: ping dumps core when packet is blocked
--jhawk
Bug Id: 1219682
Category: network
Subcategory: internet-utility
State: integrated
Synopsis: ping dumps core when packet is blocked (ICMP destination unreachable
0x13)
Description:
Customer reports the following problem:
When he sends a ping request to another host, which is blocked by e.g. a
Cisco-Router
or a firewall with an error code 0x13 (ICMP destination unreachable), the ping
command
dumps core on the following operating systems: 2.3, 2.4, SunOS 4.1.3_u1
Correct would be to show the message "destination unreachable".
If the packets are blocked by a firewall, the coredump is reproducible
everytime.
A coredump is available on request. (eike.reinel@germany.sun.com)
Unfortunately, I have no access to a Cisco-Router here, so I couldn't reproduce
the
problem here. My customer says, that you only have to configure the cisco with
the
following ACL:
access-list 101 permit tcp any any
access-list 101 permit udp any any
The format of the replied packet is defined in RFC 1716 (code 0x13 on page 81)
: 13 = Communication Administratively Prohibited - generated if a
: router cannot forward a packet due to administrative
: filtering;
This code is responsible for the crash.
The stack trace shows:
Core was generated by `/usr/sbin/ping hrz1'.
Program terminated with signal 11, Segmentation fault.
#0 0xef656d50 in strlen ()
#0 0xef656d50 in strlen ()
(gdb) where
#0 0xef656d50 in strlen ()
#1 0xef68add0 in _doprnt_unlocked ()
#2 0xef68c05c in printf ()
#3 0x126d0 in pr_pack ()
#4 0x121a8 in main ()
Then I wanted to know more about the problem, took the original source of ping
and added some printf()-statements to get a logging of some pointers, etc.
while ping
runs at the customer's site. And what happened:
It doesn't coredump!
Version von ping mit Debuggingausgaben. Funktionalitaet unveraendert.
Fuer dieses Binary wird keinerlei Garantie uebernommen.
PING hrz1: 56 data bytes
Got packet of type 3 (0x3) length=36 bytes
packet byte 000 : 03 0d d6 4d 00 00 00 00
packet byte 008 : 45 00 00 54 bf fd 40 00
packet byte 016 : fe 01 52 00 82 53 37 01
packet byte 016 : fe 01 52 00 82 53 37 01
packet byte 024 : 82 53 2f 03 08 00 1b 35
packet byte 032 : 03 70 00 00 00 00 00 00
pr_name: buf=0x00039e84 (cis75-55.hrz.th-darmstadt.de (130.83.55.254))
ICMP Time exceeded during reassembly from gateway cis75-55.hrz.th-darmstadt.de
(130.83.55.254)
pr_name: buf=0x00039e84 (sun13.hrz.th-darmstadt.de (130.83.55.1))
for icmp from sun13.hrz.th-darmstadt.de (130.83.55.1)
pr_name: buf=0x00039e84 (hrz1.hrz.th-darmstadt.de (130.83.47.3))
to hrz1.hrz.th-darmstadt.de (130.83.47.3)
Got packet of type 3 (0x3) length=36 bytes
packet byte 000 : 03 0d c2 a4 00 00 00 00
packet byte 008 : 45 00 00 54 bf fe 40 00
packet byte 016 : fe 01 51 ff 82 53 37 01
packet byte 024 : 82 53 2f 03 08 00 2e dd
packet byte 032 : 03 70 00 01 00 00 00 00
pr_name: buf=0x00039e84 (cis75-55.hrz.th-darmstadt.de (130.83.55.254))
pr_name: buf=0x00039e84 (cis75-55.hrz.th-darmstadt.de (130.83.55.254))
ICMP Time exceeded during reassembly from gateway cis75-55.hrz.th-darmstadt.de
(130.83.55.254)
pr_name: buf=0x00039e84 (sun13.hrz.th-darmstadt.de (130.83.55.1))
for icmp from sun13.hrz.th-darmstadt.de (130.83.55.1)
pr_name: buf=0x00039e84 (hrz1.hrz.th-darmstadt.de (130.83.47.3))
to hrz1.hrz.th-darmstadt.de (130.83.47.3)
^C
----hrz1 PING Statistics----
2 packets transmitted, 0 packets received, 100% packet loss
# /usr/sbin/ping -s hrz1
PING hrz1: 56 data bytes
Segmentation Fault (core dumped)
#
There's no additional functionality in ping2.c except the printf()'s...
Both binaries (ping and ping2) use the same libraries:
$ ldd ping
libsocket.so.1 => /usr/lib/libsocket.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libintl.so.1 => /usr/lib/libintl.so.1
libw.so.1 => /usr/lib/libw.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libc.so.1 => /usr/lib/libc.so.1
$ ldd ping2
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libintl.so.1 => /usr/lib/libintl.so.1
libw.so.1 => /usr/lib/libw.so.1
$
So I think, that perhaps a damaged pointer is responsible for destruction in
the code... (?)
The description field as copied from bug report 1267281 follows:
This is same problem as bug id 1219682 which is fixed on sparc architecture
only.
We need a patch for x86, 2,5,1.
When he sends a ping request to another host, which is blocked by e.g. a
Cisco-Router
or a firewall with an error code 0x13 (ICMP destination unreachable), the ping
command
dumps core on the following operating systems: 2.3, 2.4, SunOS 4.1.3_u1
Correct would be to show the message "destination unreachable".
If the packets are blocked by a firewall, the coredump is reproducible
everytime.
Work around:
Integrated in releases: s297_12
Duplicate of:
Patch id: 103699-01, 103700-01, 103701-01
Patch id: 103699-01, 103700-01, 103701-01
See also: 1267281
Summary:
ping command may core dump if it sees an unknown ICMP code (one that's newer
than
ping's conversion table).
