DHCPCD crashed with segfault when trying to add PPP host route in other interfaces
Hiroki Takeuchi
Tue Dec 31 04:04:32 2019
I'm using debian/ubuntu variant of DHCPCD 7.1.0 patched with
https://roy.marples.name/cgit/dhcpcd.git/commit/?h=dhcpcd-7&id=75f2832a88b8f5a3078179404b149b7cd9623dbf
However, I noticed sometimes it still crashes with a segfault. I am able to
reproduce the problem under gdb. Here's the stack trace:
#0 sa_in_init (sa=sa@entry=0x5555557c9210, addr=0x10) at sa.c:438
#1 0x000055555557b33f in inet_routerhostroute (routes=0x7fffffffcf80,
ifp=0x5555557c5330) at ipv4.c:418
#2 inet_getroutes (ctx=ctx@entry=0x7fffffffe090,
routes=routes@entry=0x7fffffffcf80)
at ipv4.c:438
#3 0x000055555556c4b3 in rt_build (ctx=0x7fffffffe090, af=af@entry=2) at
route.c:515
#4 0x000055555557bd5b in ipv4_applyaddr (arg=arg@entry=0x5555557a7510) at
ipv4.c:761
#5 0x0000555555576508 in dhcp_bind (ifp=ifp@entry=0x5555557a7510) at
dhcp.c:2340
#6 0x000055555557682b in dhcp_arp_bind (ifp=0x5555557a7510) at dhcp.c:2451
#7 dhcp_static (ifp=ifp@entry=0x5555557a4010) at dhcp.c:2481
#8 0x000055555557a028 in dhcp_start1 (arg=0x5555557a4010,
arg@entry=0x5555557a7510)
at dhcp.c:3697
#9 0x000055555557a9f0 in dhcp_start (ifp=0x5555557a7510) at dhcp.c:3871
#10 0x000055555556155c in dhcpcd_startinterface (arg=0x5555557a7510) at
dhcpcd.c:921
#11 0x0000555555561881 in reconf_reboot (action=1, argc=3,
argv=0x7fffffffd390, oi=2, ctx=<optimized out>) at dhcpcd.c:1219
#12 0x00005555555627de in dhcpcd_handleargs (ctx=0x7fffffffe090,
fd=fd@entry=0x5555557bcd90,
argc=argc@entry=3, argv=argv@entry=0x7fffffffd390) at dhcpcd.c:1477
#13 0x000055555555f5ba in control_handle_data (arg=0x5555557bcd90) at
control.c:143
#14 0x0000555555563aab in eloop_start (eloop=0x5555557b6340,
signals=0x7fffffffe198) at eloop.c:978
#15 0x000055555555e36b in main (argc=<optimized out>, argv=<optimized out>)
at dhcpcd.c:2024
As noticed, sa_in_init second parameter addr is 0x10 which is odd, I am
guessing it is reading a null-pointed structure offset. Hence, I printed
the "state" in the frame for inet_routerhostroute.
{state = DHS_DISCOVER, sent = 0x0, sent_len = 0, offer = 0x0, offer_len =
0, new = 0x0, new_len = 0, old = 0x0, old_len = 0, lease = {addr = {s_addr
= 0}, mask = {s_addr = 0}, brd = {s_addr = 0}, leasetime = 0, renewaltime =
0, rebindtime = 0, server = {s_addr = 0}, frominfo = 0 '\000', cookie = 0},
reason = 0x55555558f32d "PREINIT", interval = 16, nakoff = 0, xid =
3583177864, socket = 0, bpf_fd = 14, bpf_flags = 0, addr = 0x0, added = 0
'\000', leasefile = "/var/lib/dhcpcd/eno1.lease", '\000' <repeats 144
times>, started = {tv_sec = 605530, tv_nsec = 82764151}, clientid =
0x5555557c03f0 "\017\377}\377", <incomplete sequence \305>, auth = {replay
= 0, token = 0x0, reconf = 0x0}, arping_index = -1}
As expected, state->addr is NULL. In my environment, eno1 (which is the ifp
it crashes), it has an IP address which I added to it manually. Referencing
ipv4_hasaddr, I guess dhcp_state addr may be NULL if ifp haven't acquire a
lease, kindly correct me if I am wrong. If that is the case, I can merely
make the following changes inet_routerhostroute to address this issue.
if ((state = D_CSTATE(ifp)) == NULL)
continue;
to
if ((state = D_CSTATE(ifp)) == NULL || state->addr == NULL)
continue;
Is there any other things that need to be noticed or suggestions to fix
this issue? Thanks!
Archive administrator: postmaster@marples.name