From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:39640)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1TXwoD-0003Si-8P
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 11:24:28 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1TXwoA-00074j-6G
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 11:24:25 -0500
Received: from david.siemens.de ([192.35.17.14]:21509)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1TXwo9-000734-Sl
	for qemu-devel@nongnu.org; Mon, 12 Nov 2012 11:24:22 -0500
Message-ID: <50A122B0.7000701@siemens.com>
Date: Mon, 12 Nov 2012 17:24:16 +0100
From: Jan Kiszka <jan.kiszka@siemens.com>
MIME-Version: 1.0
References: <1352681983-23159-1-git-send-email-nickolai@csail.mit.edu>
	<50A0C356.6090905@siemens.com>
	<CADGQE7EwKVAb+F94wd-aj-JXp7QLUqK3ryfACXbQiTHZJzxJwA@mail.gmail.com>
In-Reply-To: <CADGQE7EwKVAb+F94wd-aj-JXp7QLUqK3ryfACXbQiTHZJzxJwA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] slirp: Don't crash on packets from
	0.0.0.0/8.
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Nickolai Zeldovich <nickolai@csail.mit.edu>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 2012-11-12 15:41, Nickolai Zeldovich wrote:
> On Mon, Nov 12, 2012 at 4:37 AM, Jan Kiszka <jan.kiszka@siemens.com> wrote:
>> On 2012-11-12 01:59, Nickolai Zeldovich wrote:
>>> LWIP can generate packets with a source of 0.0.0.0, which triggers an
>>> assertion failure in arp_table_add().  Instead of crashing, simply return
>>> to avoid adding an invalid ARP table entry.
>>
>> I would prefer to filter out such invalid packets at a different level.
>> Did you analyzed which path it takes through the stack?
> 
> The particular packet that crashed qemu for me was a gratuitous ARP,
> though it looks like all three calls to arp_table_add() in arp_input()
> can trigger this.
> 
> Popping up one level, I'm not sure why arp_table_add() and
> arp_table_search() need a special case for 0.0.0.0/8 in the first
> place.  I couldn't find any other code that assumes the ARP table
> cannot contain 0.0.0.0/8 entries.  Would anything break if the check
> for 0.0.0.0/8 was removed from arp_table_add() and arp_table_search()
> altogether?

0.0.0.0/8 are source-only, invalid as destination. So they have no place
in the ARP table.

OK, let's follow your path and filter them in arp_table_add. Just add
the missing braces and resend.

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux