bin/54517: dhclient core dumps on negative ip address leasetime

Anders Nordby anders at
Tue Jul 15 15:20:03 PDT 2003

>Number:         54517
>Category:       bin
>Synopsis:       dhclient core dumps on negative ip address leasetime
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 15 15:20:00 PDT 2003
>Originator:     Anders Nordby
>Release:        FreeBSD 5.1-RELEASE i386
Fluxpod Information eXchange
System: FreeBSD lappy 5.1-RELEASE FreeBSD 5.1-RELEASE #8: Mon Jul 14 23:15:40 CEST 2003     root at lappy:/usr/obj/usr/src/sys/LAPPY  i386


I was trying out some ISDN routers with broken config/hardware at work, and
found dhclient on my laptop to be dumping core when getting a DHCPACK with the
ip address leastime set to -1 from one of them (a Cisco 760 series router).

GDB tells me (when I have compiled dhclient with CFLAGS="-O -pipe -g" and
installed it with STRIP=""):

root at lappy:~# gdb /sbin/dhclient
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
(gdb) run fxp0
Starting program: /sbin/dhclient fxp0

Program received signal SIGFPE, Arithmetic exception.
0x0804b3db in dhcpack (packet=0x8118380)
    at /usr/src/contrib/isc-dhcp/client/dhclient.c:801
801             client -> new -> renewal = (((client -> new -> renewal + 3) * 3 / 4) +
(gdb) bt
#0  0x0804b3db in dhcpack (packet=0x8118380)
    at /usr/src/contrib/isc-dhcp/client/dhclient.c:801
#1  0x0804bb7d in dhcp (packet=0x8118380)
    at /usr/src/contrib/isc-dhcp/client/dhclient.c:1054
#2  0x080646e1 in do_packet (interface=0x8118000, packet=0xbfbfe9b0, len=548, 
    from_port=17152, from=
      {len = 4, iabuf = "À¨\022\021\020\021©\226\0\0\0\0ÿÿÿÿ"}, 
    hfrom=0xbfbff9d0) at /usr/src/contrib/isc-dhcp/common/options.c:2212
#3  0x08067754 in got_one (h=0x0)
    at /usr/src/contrib/isc-dhcp/common/discover.c:783
#4  0x08083192 in omapi_one_dispatch (wo=0x0, t=0xbfbffc28)
    at /usr/src/contrib/isc-dhcp/omapip/dispatch.c:418
#5  0x0804fb68 in dispatch ()
    at /usr/src/contrib/isc-dhcp/common/dispatch.c:103
#6  0x0804ad2b in main (argc=2, argv=0xbfbffcd0, envp=0xbfbffcdc)
    at /usr/src/contrib/isc-dhcp/client/dhclient.c:477
#7  0x08048145 in _start ()
(gdb) q
The program is running.  Exit anyway? (y or n) y

You can fetch a core dump and dhcpdump data off

My patch below is inspired by OpenBSD bug ID 1077
( and
their patch to src/usr.sbin/dhcp/dhclient/dhclient.c (diff between revision
1.11 and 1.12).


Set up a DHCP server that offers negative (-1) IP address lease time, try to
get a DHCP lease with dhclient in FreeBSD.

Possibly, other negative or zero values will also crash dhclient. More
investigation is needed. The problem should be the same in -stable/4.x,
I first discovered it there.


--- contrib/isc-dhcp/client/dhclient.c.orig	Mon Mar 24 00:29:36 2003
+++ contrib/isc-dhcp/client/dhclient.c	Tue Jul 15 23:32:26 2003
@@ -798,6 +798,7 @@
 			client -> new -> expiry / 2;
 	/* Now introduce some randomness to the renewal time: */
+	if (
 	client -> new -> renewal = (((client -> new -> renewal + 3) * 3 / 4) +
 				    (random () % /* XXX NUMS */
 				     ((client -> new -> renewal + 3) / 4)));

More information about the freebsd-bugs mailing list