Date: Wed, 8 Jan 2003 15:33:49 -0500 (EST) From: Dong Lin <dong@research.bell-labs.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/46881: ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data Message-ID: <200301082033.h08KXntX003217@doom-11.cs.bell-labs.com>
next in thread | raw e-mail | index | archive | help
>Number: 46881 >Category: kern >Synopsis: ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 08 12:40:02 PST 2003 >Closed-Date: >Last-Modified: >Originator: Dong Lin >Release: FreeBSD 4.7-RELEASE i386 (also present in 5.0-current) >Organization: >Environment: System: FreeBSD doom-11.cs.bell-labs.com 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Thu Oct 31 17:21:42 EST 2002 dong@char.research.bell-labs.com:/.amd_mnt/bopp/home/dong/FreeBSD/4.7/compile/DISKLESS.SMP i386 >Description: There is a bug in ether_input's handling of bpf_mtap. It passes an m_hdr to bpf_mtap as the head of an mbuf chain. But bpf_mtap touches beyond m_hdr. Fortunately, that code is only used if the user program clears SEESENT. I am running 4.7-release. But I see the same code in 5.0-current. >How-To-Repeat: add the following lines to the user bpf program: if(ioctl(pd->fd, BIOCSSEESENT, &no) < 0){ perror("BIOCSSEESENT"); } >Fix: --- if_ethersubr.c Wed Jan 8 15:30:12 2003 +++ /sys/net/if_ethersubr.c Fri Aug 30 10:23:38 2002 @@ -569,13 +569,13 @@ /* Check for a BPF tap */ if (ifp->if_bpf != NULL) { - struct mbuf mb; + struct m_hdr mh; - mb.m_next = m; - mb.m_data = (char *)eh; - mb.m_len = ETHER_HDR_LEN; - mb.m_pkthdr.rcvif = m->m_pkthdr.rcvif; - bpf_mtap(ifp, (struct mbuf *)&mb); + /* This kludge is OK; BPF treats the "mbuf" as read-only */ + mh.mh_next = m; + mh.mh_data = (char *)eh; + mh.mh_len = ETHER_HDR_LEN; + bpf_mtap(ifp, (struct mbuf *)&mh); } ifp->if_ibytes += m->m_pkthdr.len + sizeof (*eh); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301082033.h08KXntX003217>