From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:38801)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1S0ixX-0008Mt-6m
	for qemu-devel@nongnu.org; Thu, 23 Feb 2012 19:24:28 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1S0ixS-0004S9-Gg
	for qemu-devel@nongnu.org; Thu, 23 Feb 2012 19:24:27 -0500
Received: from ozlabs.org ([203.10.76.45]:38005)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgibson@ozlabs.org>) id 1S0ixS-0004Rd-11
	for qemu-devel@nongnu.org; Thu, 23 Feb 2012 19:24:22 -0500
From: David Gibson <david@gibson.dropbear.id.au>
Date: Fri, 24 Feb 2012 11:23:28 +1100
Message-Id: <1330043012-30556-3-git-send-email-david@gibson.dropbear.id.au>
In-Reply-To: <1330043012-30556-1-git-send-email-david@gibson.dropbear.id.au>
References: <1330043012-30556-1-git-send-email-david@gibson.dropbear.id.au>
Subject: [Qemu-devel] [PATCH 2/6] slirp: Fix assertion failure on rejected
	DHCP requests
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: anthony@codemonkey.ws
Cc: Jan Kiszka <jan.kiszka@siemens.com>, qemu-devel@nongnu.org, David Gibson <david@gibson.dropbear.id.au>

The guest network stack might DHCPREQUEST an address that the slirp built
in dhcp server can't let it have - for example if the guest has an old
leases file from another network configuration.  In this case the dhcp
server should and does reject the request and prepares to send a DHCPNAK
to the client.

However, in this case the daddr variable in bootp_reply() is set to
0.0.0.0.  Shortly afterwards, it unconditionally attempts to pre-insert the
new client address into the ARP table.  This causes an assertion failure in
arp_address_add() because of the 0.0.0.0 address.

According to RFC2131, DHCPNAK messages for clients on the same subnet
must be sent to the broadcast address (S3.2, subpoint 2).

Cc: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 slirp/bootp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/slirp/bootp.c b/slirp/bootp.c
index efd1fe7..64eac7d 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -200,7 +200,8 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
             daddr.sin_addr = preq_addr;
             memcpy(bc->macaddr, client_ethaddr, ETH_ALEN);
         } else {
-            daddr.sin_addr.s_addr = 0;
+            /* DHCPNAKs should be sent to broadcast */
+            daddr.sin_addr.s_addr = 0xffffffff;
         }
     } else {
         bc = find_addr(slirp, &daddr.sin_addr, bp->bp_hwaddr);
-- 
1.7.9