vpp icon indicating copy to clipboard operation
vpp copied to clipboard
verified publisher icon FDio

Receive Dhcp Nak packet cause core dump

Open PFangwang opened this issue 7 months ago • 0 comments

I saw this node by reading the code in plugins/dhcp/dhcp4_proxy_node.c:

` VLIB_REGISTER_NODE (dhcp_proxy_to_client_node, static) = { .function = dhcp_proxy_to_client_input, .name = "dhcp-proxy-to-client", /* Takes a vector of packets. */ .vector_size = sizeof (u32),

.n_errors = DHCP_PROXY_N_ERROR, .error_strings = dhcp_proxy_error_strings, .format_buffer = format_dhcp_proxy_header_with_length, .format_trace = format_dhcp_proxy_trace, #if 0 .unformat_buffer = unformat_dhcp_proxy_header, #endif .n_next_nodes = DHCP4_PROXY_N_NEXT, .next_nodes = { [DHCP4_PROXY_NEXT_DROP] = "error-drop", [DHCP4_PROXY_NEXT_TX] = "interface-output", }, }; `

This appears to be just an ordinary node and does not specify that it must run on the main thread. Pay attention to this function in dhcp_proxy_to_client_input:

/* Consumed by dhcp client code? */ if (dhcp_client_for_us (bi0, b0, ip0, u0, h0)) { error0 = DHCP_PROXY_ERROR_FOR_US; goto drop_packet; }

When receiving a Dhcp Nak packet in dhcp_client_for_us : case DHCP_REQUEST: if (dhcp_message_type == DHCP_PACKET_NAK) { vlib_node_increment_counter (vm, dhcp_client_process_node.index, DHCP_STAT_NAK, 1); /* Probably never happens in bound state, but anyhow... Wipe out any memory of the address we had... */ dhcp_client_reset (dcm, c); break; }

dhcp_client_reset function: `static void dhcp_client_reset (dhcp_client_main_t * dcm, dhcp_client_t * c) { vlib_worker_thread_barrier_sync (dcm->vlib_main); if (c->client_detect_feature_enabled == 1) { vnet_feature_enable_disable ("ip4-unicast", "ip4-dhcp-client-detect", c->sw_if_index, 0, 0, 0); c->client_detect_feature_enabled = 0; } dhcp_client_release_address (dcm, c); vlib_worker_thread_barrier_release (dcm->vlib_main);

clib_memset (&c->learned, 0, sizeof (c->installed)); c->state = DHCP_DISCOVER; c->next_transmit = vlib_time_now (dcm->vlib_main); c->retry_count = 0; c->lease_renewal_interval = 0; vec_free (c->domain_server_address); }`

But the worker thread is not allowed to call vlib_worker_thread_barrier_sync, and at times, it can lead to core dump.

PFangwang avatar May 19 '25 10:05 PFangwang