Date: Sun, 21 Apr 2002 01:48:42 -0700 (PDT) From: Kelly Yancey <kbyanc@posi.net> To: arch@freebsd.org Subject: Overflowing sockaddr_dl's sdl_data buffer Message-ID: <20020421013332.F87395-100000@gateway.posi.net>
next in thread | raw e-mail | index | archive | help
While working on a product at work, I discovered that it is trivial to
overflow the sdl_data buffer in sockaddr_dl structures. In our case, I
enountered the bug by creating a vlan100 interface. The sdl_data buffer is
populated with both the interface name and the parent interface's hardware
address; in his case 7 characters for the interface name and 6 more for the
parent's MAC address for a total of 13 characters (sdl_data is only defined
for 12 characters). As a result, the sdl_rcf field is garbage (actually, the
last octet of the MAC address). While, I worked around the problem in our
product, I would prefer to see the bug fixed in FreeBSD proper.
So, I would like to solicit discussion of the proper fix for this bug.
Should sdl_data's length be extended (say 16 characters)? This would surely
break binary compatibility and only postpones the issue (imagine an interface
with a longer name). Should bound's checking be added to eliminate the
(supposedly optional) interface name from the sdl_data buffer if there is not
room? If so, how does one ensure all drivers (including 3rd party)
perform the bounds-checking? Surely there are other options too. In any
event, the comment in sys/net/if_dl.h for the sdl_data field needs updating
because since the source routing information was added following the sdl_data
field it is impossible for the sdl_data field to be larger than that defined
by the structure definition.
Thanks,
Kelly
kbyanc@{posi.net,FreeBSD.org}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020421013332.F87395-100000>