[BusyBox 0003304]: udhcpd arpping overflow bug

bugs at busybox.net bugs at busybox.net
Tue May 13 00:41:18 UTC 2008 

The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=3304 
====================================================================== 
Reported By:                Linkn
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   3304
Category:                   Networking Support
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             05-09-2008 04:10 PDT
Last Modified:              05-12-2008 17:41 PDT
====================================================================== 
Summary:                    udhcpd arpping overflow  bug
Description: 
In the arpping function(networking\udhcp\arpping.c. line 89),  
prevTime may bring timeout_ms overflow in MIPS os.
Suggest define preTime: unsigned long long preTime;

====================================================================== 

---------------------------------------------------------------------- 
 vda - 05-09-08 04:51  
---------------------------------------------------------------------- 
The code:

        /* wait for arp reply, and check it */
        timeout_ms = 2000;
        do {
                int r;
                unsigned prevTime = monotonic_us();
...
                timeout_ms -= (monotonic_us() - prevTime) / 1000;
        } while (timeout_ms > 0);

Can you explain in more details when overflow occurs? 

---------------------------------------------------------------------- 
 vda - 05-09-08 04:56  
---------------------------------------------------------------------- 
If this is a real bug, it is likely fixed in 21958. 

---------------------------------------------------------------------- 
 Linkn - 05-09-08 20:36  
---------------------------------------------------------------------- 
This is embedded MIPS 4k OS and gcc is mipsel-linux-gcc (GCC) 3.3.6. 
The test code :
	/* wait for arp reply, and check it */
	do {
		int r;
		//unsigned long long prevTime = monotonic_us();
		unsigned  prevTime = monotonic_us();

bb_error_msg("arpping -> timeout_ms:%d\n",timeout_ms);
		pfd[0].events = POLLIN;
		r = safe_poll(pfd, 1, timeout_ms);
		if (r < 0) {
			break;
		} else if (r) {
			if (read(s, &arp, sizeof(arp)) < 0)
				break;
			if (arp.operation == htons(ARPOP_REPLY)
			 && memcmp(arp.tHaddr, from_mac, 6) == 0
			 && *((uint32_t *) arp.sInaddr) == test_ip
			) {
				rv = 0;
				break;
			}
		}
		timeout_ms -= (monotonic_us() - prevTime) / 1000;
	} while (timeout_ms > 0);

Where dhcpd receive discover, debug msg show :

udhcpd: arpping -> timeout_ms:2000
udhcpd: arpping -> timeout_ms:1662154294

At this time,safe_poll will delay long long time .

 

---------------------------------------------------------------------- 
 vda - 05-10-08 08:49  
---------------------------------------------------------------------- 
Please test whether it is fixed by adding (unsigned) cast:

timeout_ms -= ((unsigned)monotonic_us() - prevTime) / 1000; 

---------------------------------------------------------------------- 
 Linkn - 05-11-08 20:44  
---------------------------------------------------------------------- 
Yes ,it is fixed by this mode:

1:  timeout_ms -= ((unsigned)monotonic_us() - prevTime) / 1000; 

2:  unsigned long long prevTime = monotonic_us();

 

---------------------------------------------------------------------- 
 vda - 05-12-08 07:14  
---------------------------------------------------------------------- 
> Yes ,it is fixed by this mode:
> 1: timeout_ms -= ((unsigned)monotonic_us() - prevTime) / 1000;
> 2: unsigned long long prevTime = monotonic_us();

I don't understand. I asked whether _only_ adding (unsigned) is enough.
I'd like to avoid using "long long" as it results in bigger code.

Can you test whether only adding (unsigned) works? 

---------------------------------------------------------------------- 
 Linkn - 05-12-08 07:55  
---------------------------------------------------------------------- 
Yes, I tested. only adding unsigned, it works ok. 

---------------------------------------------------------------------- 
 vda - 05-12-08 17:41  
---------------------------------------------------------------------- 
Fixed in rev 21958. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
05-09-08 04:10  Linkn          New Issue                                    
05-09-08 04:10  Linkn          Status                   new => assigned     
05-09-08 04:10  Linkn          Assigned To               => BusyBox         
05-09-08 04:51  vda            Note Added: 0007584                          
05-09-08 04:56  vda            Note Added: 0007594                          
05-09-08 20:09  Linkn          Issue Monitored: Linkn                       
05-09-08 20:32  Linkn          Note Added: 0007614                          
05-09-08 20:36  Linkn          Note Edited: 0007614                         
05-10-08 08:49  vda            Note Added: 0007624                          
05-11-08 20:43  Linkn          Note Added: 0007634                          
05-11-08 20:44  Linkn          Note Edited: 0007634                         
05-12-08 07:14  vda            Note Added: 0007644                          
05-12-08 07:55  Linkn          Note Added: 0007654                          
05-12-08 17:41  vda            Status                   assigned => closed  
05-12-08 17:41  vda            Note Added: 0007664                          
======================================================================

More information about the busybox-cvs mailing list