dhcp-3.1.0a3 crashed with one packet send to it based on leasequery

Kevin Dierking Kevin.Dierking at arrisi.com
Thu Mar 8 22:04:27 UTC 2007 

I have a packet that crashes the alpha server, the leasequery is of type 
RFC 4388 according to our software engineer, however I am not stating that 
the packet is formed correctly.
I have been able to use tcpreplay to send the packet and see it (dhcpd) 
gracefully exit.  By using text2pcap you should be able to recreate the 
pcap version from the very bottom block (text packet data).

Sorry I didn't keep the output messages, but it should be easy to 
recreate.  This was compiled and tested under FreeBSD 5.5-RELEASE.  The 
decode was provided by wireshark version 0.99.2.


No.     Time        Source                Destination           Protocol 
Info
      1 0.000000    10.139.96.1           10.50.39.3            DHCP DHCP 
Unknown Message Type (0x0a) - Transaction ID 0x26

Frame 1 (342 bytes on wire, 342 bytes captured)
    Arrival Time: Mar  8, 2007 14:32:23.009897000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 342 bytes
    Capture Length: 342 bytes
    Frame is marked: False
    Protocols in frame: eth:ip:udp:bootp
    Coloring Rule Name: UDP
    Coloring Rule String: udp
Ethernet II, Src: Cisco_13:80:31 (00:02:ba:13:80:31), Dst: 
Adaptec_ed:cb:99 (00:00:d1:ed:cb:99)
    Destination: Adaptec_ed:cb:99 (00:00:d1:ed:cb:99)
        Address: Adaptec_ed:cb:99 (00:00:d1:ed:cb:99)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: 
This is a FACTORY DEFAULT address
    Source: Cisco_13:80:31 (00:02:ba:13:80:31)
        Address: Cisco_13:80:31 (00:02:ba:13:80:31)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: 
This is a FACTORY DEFAULT address
    Type: IP (0x0800)
Internet Protocol, Src: 10.139.96.1 (10.139.96.1), Dst: 10.50.39.3 
(10.50.39.3)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 328
    Identification: 0x0691 (1681)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 63
    Protocol: UDP (0x11)
    Header checksum: 0xd853 [correct]
        Good: True
        Bad : False
    Source: 10.139.96.1 (10.139.96.1)
    Destination: 10.50.39.3 (10.50.39.3)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
    Source port: bootps (67)
    Destination port: bootps (67)
    Length: 308
    Checksum: 0x7d18 [correct]
Bootstrap Protocol
    Message type: Boot Request (1)
    Hardware type: NET/ROM pseudo
    Hardware address length: 0
    Hops: 0
    Transaction ID: 0x00000026
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 10.139.127.253 (10.139.127.253)
    Your (client) IP address: 0.0.0.0 (0.0.0.0)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 10.139.96.1 (10.139.96.1)
    Client address not given
    Server host name not given
    Boot file name not given
    Magic cookie: (OK)
    Option 53: DHCP Message Type = DHCP Unknown Message Type (0x0a)
    Option 57: Maximum DHCP Message Size = 1472
    Option 55: Parameter Request List
        82 = Agent Information Option
        51 = IP Address Lease Time
        60 = Vendor class identifier
    End Option
    Padding

0000  00 00 d1 ed cb 99 00 02 ba 13 80 31 08 00 45 00   ...........1..E.
0010  01 48 06 91 00 00 3f 11 d8 53 0a 8b 60 01 0a 32   .H....?..S..`..2
0020  27 03 00 43 00 43 01 34 7d 18 01 00 00 00 00 00   '..C.C.4}.......
0030  00 26 00 00 00 00 0a 8b 7f fd 00 00 00 00 00 00   .&..............
0040  00 00 0a 8b 60 01 00 00 00 00 00 00 00 00 00 00   ....`...........
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 63 82 53 63 35 01 0a 39 02 05   ......c.Sc5..9..
0120  c0 37 03 52 33 3c ff 00 00 00 00 00 00 00 00 00   .7.R3<..........
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00                                 ......

More information about the dhcp-users mailing list