From owner-freebsd-arch  Sun Apr 21  1:48:45 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87])
	by hub.freebsd.org (Postfix) with ESMTP id 3280037B419
	for <arch@freebsd.org>; Sun, 21 Apr 2002 01:48:43 -0700 (PDT)
Received: from gateway.posi.net ([12.236.90.177]) by rwcrmhc54.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020421084842.PATJ1102.rwcrmhc54.attbi.com@gateway.posi.net>
          for <arch@freebsd.org>; Sun, 21 Apr 2002 08:48:42 +0000
Received: from localhost (kbyanc@localhost)
	by gateway.posi.net (8.11.6/8.11.6) with ESMTP id g3L8mgE87411
	for <arch@freebsd.org>; Sun, 21 Apr 2002 01:48:42 -0700 (PDT)
	(envelope-from kbyanc@posi.net)
X-Authentication-Warning: gateway.posi.net: kbyanc owned process doing -bs
Date: Sun, 21 Apr 2002 01:48:42 -0700 (PDT)
From: Kelly Yancey <kbyanc@posi.net>
To: arch@freebsd.org
Subject: Overflowing sockaddr_dl's sdl_data buffer
Message-ID: <20020421013332.F87395-100000@gateway.posi.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG


  While working on a product at work, I discovered that it is trivial to
overflow the sdl_data buffer in sockaddr_dl structures.  In our case,  I
enountered the bug by creating a vlan100 interface.  The sdl_data buffer is
populated with both the interface name and the parent interface's hardware
address; in his case 7 characters for the interface name and 6 more for the
parent's MAC address for a total of 13 characters (sdl_data is only defined
for 12 characters).  As a result, the sdl_rcf field is garbage (actually, the
last octet of the MAC address).  While, I worked around the problem in our
product, I would prefer to see the bug fixed in FreeBSD proper.
  So, I would like to solicit discussion of the proper fix for this bug.
Should sdl_data's length be extended (say 16 characters)?  This would surely
break binary compatibility and only postpones the issue (imagine an interface
with a longer name).  Should bound's checking be added to eliminate the
(supposedly optional) interface name from the sdl_data buffer if there is not
room?  If so, how does one ensure all drivers (including 3rd party)
perform the bounds-checking?  Surely there are other options too.  In any
event, the comment in sys/net/if_dl.h for the sdl_data field needs updating
because since the source routing information was added following the sdl_data
field it is impossible for the sdl_data field to be larger than that defined
by the structure definition.

  Thanks,

  Kelly
  kbyanc@{posi.net,FreeBSD.org}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message