Date: Wed, 8 Jan 2003 15:33:49 -0500 (EST) From: Dong Lin <dong@research.bell-labs.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/46881: ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data Message-ID: <200301082033.h08KXntX003217@doom-11.cs.bell-labs.com>
next in thread | raw e-mail | index | archive | help
>Number: 46881
>Category: kern
>Synopsis: ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 08 12:40:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Dong Lin
>Release: FreeBSD 4.7-RELEASE i386 (also present in 5.0-current)
>Organization:
>Environment:
System: FreeBSD doom-11.cs.bell-labs.com 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Thu Oct 31 17:21:42 EST 2002 dong@char.research.bell-labs.com:/.amd_mnt/bopp/home/dong/FreeBSD/4.7/compile/DISKLESS.SMP i386
>Description:
There is a bug in ether_input's handling of bpf_mtap. It passes an
m_hdr to bpf_mtap as the head of an mbuf chain. But bpf_mtap touches
beyond m_hdr. Fortunately, that code is only used if the user program
clears SEESENT.
I am running 4.7-release. But I see the same code in 5.0-current.
>How-To-Repeat:
add the following lines to the user bpf program:
if(ioctl(pd->fd, BIOCSSEESENT, &no) < 0){
perror("BIOCSSEESENT");
}
>Fix:
--- if_ethersubr.c Wed Jan 8 15:30:12 2003
+++ /sys/net/if_ethersubr.c Fri Aug 30 10:23:38 2002
@@ -569,13 +569,13 @@
/* Check for a BPF tap */
if (ifp->if_bpf != NULL) {
- struct mbuf mb;
+ struct m_hdr mh;
- mb.m_next = m;
- mb.m_data = (char *)eh;
- mb.m_len = ETHER_HDR_LEN;
- mb.m_pkthdr.rcvif = m->m_pkthdr.rcvif;
- bpf_mtap(ifp, (struct mbuf *)&mb);
+ /* This kludge is OK; BPF treats the "mbuf" as read-only */
+ mh.mh_next = m;
+ mh.mh_data = (char *)eh;
+ mh.mh_len = ETHER_HDR_LEN;
+ bpf_mtap(ifp, (struct mbuf *)&mh);
}
ifp->if_ibytes += m->m_pkthdr.len + sizeof (*eh);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301082033.h08KXntX003217>