[peter at p12n.org: dhcp 3.0.3 theoretical alignment bug]
David W. Hankins
David_Hankins at isc.org
Tue Aug 30 21:11:14 UTC 2005
On Tue, Aug 30, 2005 at 09:10:13PM +1000, Andrew Pollock wrote:
> Spent some time investigating a bug in 3.0.2 that seemed to be partially
> fixed (but without anything appropriate that I could see in the release
> notes in 3.0.3).
Changes since 3.0.2
- decode_udp_ip_header was changed so that the IP address was copied out
to a variable, rather than referenced by a pointer. This enforces 4-byte
alignment of the 32-bit IP address value. Thanks to a patch from Dr.
Peter Poeml.
> So, I was helping someone track down a pointer alignment bug in dhcp
> 3.0.2, and it turned out to be fixed in dhcp 3.0.3. However, there is
> another bug of exactly the same type, in the same function, *not* fixed
> in 3.0.3. Why it does not trigger in the same situation, I don't know.
>
> The 3.0.2 bug was in decode_udp_ip_header(): 'struct ip *ip', which was
> changed to a stack variable 'struct ip ip' and copied from the input
> buffer, for proper struct alignment. The related variable 'struct
> udphdr *udp' was not changed in the same way and I think it should have
> been.
Mmm. The 'buf' field starts out 2 bytes misaligned, the ip header is
32-bit aligned itself, so the the udp offset realigns it (and the bootp
payload is once again 32-bit aligned).
So, 32bit->2-16-bit-registers compiler tricks in the udp header area
would likely not work, no.
The reason no one else has seen this is most likely compiler flags.
> Practical result: the UDP checksum in the input buffer is no longer
> zeroed. I didn't check to see if this mattered.
It may in the relay, I need to relearn how that works.
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-hackers
mailing list