From owner-freebsd-net@FreeBSD.ORG Wed May 16 21:40:11 2007 Return-Path: X-Original-To: freebsd-net@hub.freebsd.org Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 309E716A402 for ; Wed, 16 May 2007 21:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1D43C13C458 for ; Wed, 16 May 2007 21:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4GLeAud037830 for ; Wed, 16 May 2007 21:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4GLeAI5037827; Wed, 16 May 2007 21:40:10 GMT (envelope-from gnats) Date: Wed, 16 May 2007 21:40:10 GMT Message-Id: <200705162140.l4GLeAI5037827@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Ariff Abdullah Cc: Subject: Re: kern/112670: [if_tap] stat /dev/tapN leads to panic for N >= 2G X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ariff Abdullah List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 21:40:11 -0000 The following reply was made to PR kern/112670; it has been noted by GNATS. From: Ariff Abdullah To: bug-followup@FreeBSD.org, osd@cs.unibo.it Cc: Subject: Re: kern/112670: [if_tap] stat /dev/tapN leads to panic for N >= 2G Date: Thu, 17 May 2007 05:33:48 +0800 This is a multi-part message in MIME format. --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Grr... this was meant for kern/112670, not 112671. Sorry. Well, I'm not really sure if this is all about signess or simply because dev_stdclone() itself fail to do correct checking on unit > 0xffffff (it should be CLONE_UNITMASK which is 0xfffff, no?), obviously an overflow against clone_create(). It could be argued that the caller would later strip and truncate it, but there are few other drivers (notably snp(4)) which innocently proceed without any tinkering. Anyway, try this patch. It should help other dev_stdclone() users too. -- Ariff Abdullah FreeBSD ... Recording in stereo is obviously too advanced and confusing for us idiot ***** users :P ........ --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C Content-Type: text/x-diff; name="kern_conf.c.diff" Content-Disposition: attachment; filename="kern_conf.c.diff" Content-Transfer-Encoding: 7bit Index: src/sys/kern/kern_conf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_conf.c,v retrieving revision 1.201 diff -u -r1.201 kern_conf.c --- src/sys/kern/kern_conf.c 2 Feb 2007 22:27:45 -0000 1.201 +++ src/sys/kern/kern_conf.c 16 May 2007 20:05:51 -0000 @@ -763,7 +763,7 @@ u *= 10; u += name[i++] - '0'; } - if (u > 0xffffff) + if (u > CLONE_UNITMASK) return (0); *unit = u; if (namep) --Multipart=_Thu__17_May_2007_05_33_48_+0800_IlHONeq=l+xq7q9C--