miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

miniupnpd crashes when PCP MAP packet is truncated

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Bugs
View previous topic :: View next topic  
Author Message
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Sat Feb 01, 2014 11:53 pm    Post subject: miniupnpd crashes when PCP MAP packet is truncated Reply with quote

Hi,

A minor bug I noticed while testing my Java client library with miniupnpd's PCP functionality: If a request packet is missing data, miniupnpd crashes. I noticed this bug when I accidentally truncated the suggested external IP address (last field in the MAP op) to 4 bytes. I believe the proper response should something with error code MALFORMED_REQUEST (http://tools.ietf.org/html/rfc6887#section-7.4).

Also, I noticed that I get a UNSUPP_OPCODE error code when I attempt an announce request. From reading the RFC, I think the proper response for this should be a response with no payload, 0 for the op code, and 0 for the lifetime (http://tools.ietf.org/html/rfc6887#section-14.1.2). From the RFC: "This functionality allows a PCP client to determine a server's Epoch, or to determine if a PCP server is running, without changing the server's state"
Back to top
View user's profile Send private message
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Sun Feb 02, 2014 3:45 am    Post subject: Reply with quote

Hi,

Another issue I just noticed with PCP: If the version field is set to 3 in a request, the miniupnpd process seems to end. I believe the correct behaviour should be a reply with UNSUPP_VERSION (http://tools.ietf.org/html/rfc6887#section-9).
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Mon Feb 03, 2014 9:02 am    Post subject: Re: miniupnpd crashes when PCP MAP packet is truncated Reply with quote

offbynull wrote:
Hi,

A minor bug I noticed while testing my Java client library with miniupnpd's PCP functionality: If a request packet is missing data, miniupnpd crashes. I noticed this bug when I accidentally truncated the suggested external IP address (last field in the MAP op) to 4 bytes. I believe the proper response should something with error code MALFORMED_REQUEST (http://tools.ietf.org/html/rfc6887#section-7.4).

Indeed, I'm fixing the code
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Mon Feb 03, 2014 9:58 am    Post subject: Reply with quote

I implemented ANNOUNCE request and fixed various issues

can you test again with the updated code miniupnpd-1.8.20140203.tar.gz or from github : https://github.com/miniupnp/miniupnp
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Tue Feb 11, 2014 4:17 am    Post subject: Reply with quote

Hi,

Terribly sorry for the delay. I was under the impression that the phpbb would automatically notify me of replies to threads I start.

I'll give this a try in a bit and let you know how it goes. But I've also encountered another issue:

My understanding is that to keep a mapping alive. You need to re-issue your MAP requests at a rate less than the lifetime in the MAP response. Right now I'm re-issuing my MAP requests at lifetime / 4 (30 seconds in my case), but miniupnpd still drops my mapping. At first I thought that this may be due to the fact that I use a new nonce value for each MAP packet, but after inspecting pcpserver.c, it doesn't look like nonce is taken in to consideration.


Here's the wireshark output + syslog of my Ubuntu VM with miniupnpd installed. I create the mapping, keep it updated for 200 seconds, then try to unmap it. My client code doesn't report an error, but the syslog mentions that the mapping has been removed. Also, if I only maintain the mapping for exactly 120 seconds, the unmapping returns an error (NO_RESOURCE I think was the error code?).

EDIT: It seems that phpBB is truncating my dumps. Is there another avenue to get these logs to you?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Tue Feb 11, 2014 8:16 am    Post subject: Reply with quote

you can use http://pastebin.com/, email me (miniupnp at free dot fr) or github https://github.com/miniupnp/miniupnp
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Tue Feb 11, 2014 8:45 am    Post subject: Reply with quote

Wireshark dump: http://pastebin.com/sA6NGZ4f
Syslog excerpt: http://pastebin.com/SL8vzYqf
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Tue Feb 11, 2014 9:08 am    Post subject: Reply with quote

it looks like Mapping renewal is not working well
RFC6887 11.2.1. An existing mapping SHOULD have its lifetime extended by the PCP client for as long as the client wishes to have that mapping continue to exist. To do this, the PCP client sends a new MAP request indicating the internal port.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Tue Feb 11, 2014 9:42 am    Post subject: Reply with quote

I think I have fixed it :
https://github.com/miniupnp/miniupnp/commit/16ea0db41162f80bdbee37bcc92bc8ce1f45e695
The lifetime was not updated...
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Sat Mar 01, 2014 7:59 pm    Post subject: Reply with quote

Sorry for the delay.

It looks like things are pretty good. I went ahead and purchased an Apple Airport and it looks like the behaviour of Apple's PCP implementation is fairly consistent with miniupnpd's implementation. The only discrepancy that I came across was that Apple's implementation didn't support PREFER_FAILURE, which I think is a stupid decision on Apple's part Sad

I'm going to switch gears to implementing a upnp client. What version of upnpigd does miniupnpd currently support? Does miniupnpd's upnpigd implementation support events? I'm mainly interested in getting notified if my IP address changes or if any of my mappings are lost or timed out.



BTW: if you're interested in the client code I wrote, you can find it here:
https://code.google.com/p/peernetic/source/browse/#git%2Frouter-natpmp%2Fsrc%2Fmain%2Fjava%2Fcom%2Foffbynull%2Fpeernetic%2Frouter%253Fstate%253Dclosed
Back to top
View user's profile Send private message
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Sun Mar 02, 2014 5:25 am    Post subject: Reply with quote

I just noticed an issue with IPv6 and UPnP.

SSPD is giving me back the following URL in the LOCATION header: http://[::1]:46466/rootDesc.xml

I think [::1] should be the IPv6 address of my miniupnpd VM.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Mon Mar 03, 2014 9:31 am    Post subject: Reply with quote

offbynull wrote:
I just noticed an issue with IPv6 and UPnP.

SSPD is giving me back the following URL in the LOCATION header: http://[::1]:46466/rootDesc.xml

I think [::1] should be the IPv6 address of my miniupnpd VM.

Please see what are the message in syslog...
[::1] is set when failing to get ipv6 address.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
offbynull



Joined: 27 Jan 2014
Posts: 11

PostPosted: Sat Mar 08, 2014 5:53 pm    Post subject: Reply with quote

Hey,

Here's what syslog is dumping out...

Mar 8 09:48:05 ubuntu miniupnpd[3109]: HTTP listening on port 55542
Mar 8 09:48:05 ubuntu miniupnpd[3109]: no HTTP IPv6 address
Mar 8 09:48:05 ubuntu miniupnpd[3109]: Listening for NAT-PMP/PCP traffic on port 5351
Mar 8 09:48:06 ubuntu miniupnpd[3109]: SSDP packet sender [fe80::e894:5c7d:16c0:7e18]:64879 not from a LAN, ignoring
Mar 8 09:48:39 miniupnpd[3109]: last message repeated 9 times

It sounds like this is a configuration issue with my VM.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1469

PostPosted: Sun Mar 09, 2014 11:00 pm    Post subject: Reply with quote

you should have IPv6 addresses for your network interfaces.
And not just the link local ones (fe80::xxxx)
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.