Subject: bin/12221: dhclient failing on relay-agent-information option
To: None <gnats-bugs@gnats.netbsd.org>
From: Laine Stump <lainestump@rcn.com>
List: netbsd-bugs
Date: 02/16/2001 00:13:10
>Number: 12221
>Category: bin
>Synopsis: dhclient dumps core if dhcp server sends relay-agent-information option
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Feb 15 21:14:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Laine Stump
>Release: NetBSD-current as of 2001/02/15
>Organization:
>Environment:
System: NetBSD idris.laine.org 1.5R NetBSD 1.5R (GENERIC-lrs) #0: Sat Feb 10 01:17:58 EST 2001 laine@idris.laine.org:/drive2/src/src/sys/arch/i386/compile/GENERIC-lrs i386
Architecture: i386
Machine: i386
>Description:
RCN installed a new DOCSIS-compliant cable modem today, and I started
having to deal with a new DHCP server on their network which was
reliably coredumping the dhclient in -current. I tracked this down to
two causes, both tickled by this new server sending an option 82
"relay-agent-information".
1) relay-agent-information has a "format" field (in
table.c:dhcp_options[]) of "Eagent.", so
options.c:parse_encapsulated_suboptions() looks for a universe
called "agent", which doesn't exist. This function should return 0
if no universe is found, but unfortunately the variable "universe"
isn't initialized to 0, so that test always fails, and the function
continues on to dereference the garbage value in universe.
2) Even after (1) is fixed, options.c:pretty_print_option() still
causes a failure (eventually a core dump) due to this same option.
>How-To-Repeat:
Try to get a lease from a server that sends relay-agent-information
option, watch dhclient dump core.
>Fix:
I fixed problem (1) by changing dhcp/common/options.c:188 to
struct universe *universe = 0;
I didn't have time to track down (2) completely, but found that if
I just added:
if (code == 82)
return "<bad stuff>";
at the top of pretty_print_option(), dhclient at least begins
working properly.
>Release-Note:
>Audit-Trail:
>Unformatted: