From owner-freebsd-bugs@FreeBSD.ORG  Thu Aug 19 16:20:02 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1C12310656B0
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Aug 2010 16:20:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id CCAC08FC1A
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Aug 2010 16:20:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7JGK1tr019104
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 Aug 2010 16:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7JGK1PC019103;
	Thu, 19 Aug 2010 16:20:01 GMT (envelope-from gnats)
Resent-Date: Thu, 19 Aug 2010 16:20:01 GMT
Resent-Message-Id: <201008191620.o7JGK1PC019103@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dmitrij Tejblum <tejblum@yandex-team.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F06B7106566C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 Aug 2010 16:16:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id DFB308FC0A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 19 Aug 2010 16:16:16 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o7JGGG42021750
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 19 Aug 2010 16:16:16 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o7JGGGtF021749;
	Thu, 19 Aug 2010 16:16:16 GMT (envelope-from nobody)
Message-Id: <201008191616.o7JGGGtF021749@www.freebsd.org>
Date: Thu, 19 Aug 2010 16:16:16 GMT
From: Dmitrij Tejblum <tejblum@yandex-team.ru>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/149807: [patch] [ipfw] panic due to bpf write to ipfw interface
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 16:20:02 -0000


>Number:         149807
>Category:       kern
>Synopsis:       [patch] [ipfw] panic due to bpf write to ipfw interface
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 16:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitrij Tejblum
>Release:        8.1-STABLE
>Organization:
OOO Yandex
>Environment:
>Description:
ipfw create a pseudo-interface named ipfw0. It looks pretty much like an ethernet interface. If a program attach a bpf to the interface and send a multicast packet via it, a panic will occur.

(Of course, sending packets to the ipfw0 interface is not useful. But some programs may do it. E.g., an CDP or LLDP daemon by default would try to send its packets to all interfaces in the systems, including ipfw0, if it's configured.)

The cause of the panic is unitialized `if_broadcastaddr' field of the ipfw0's ifnet struct. The field is supposed to be initialized, and it is used in e.g. sys/net/bpf.c
>How-To-Repeat:
On a system with ipfw configured, install net-mgmt/openlldp port, run lldpd, and wait for a minute or so.
>Fix:


Patch attached with submission follows:

--- sys/netinet/ipfw/ip_fw_log.c	2010-03-23 12:58:59.000000000 +0300
+++ sys/netinet/ipfw/ip_fw_log.c	2010-08-19 19:33:39.000000000 +0400
@@ -103,6 +103,9 @@ log_dummy(struct ifnet *ifp, u_long cmd,
 	return EINVAL;
 }
 
+static const u_char ipfwbroadcastaddr[6] =
+                        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+                        
 void
 ipfw_log_bpf(int onoff)
 {
@@ -124,6 +127,7 @@ ipfw_log_bpf(int onoff)
 		ifp->if_addrlen = 6;
 		ifp->if_hdrlen = 14;
 		if_attach(ifp);
+		ifp->if_broadcastaddr = ipfwbroadcastaddr;
 		ifp->if_baudrate = IF_Mbps(10);
 		bpfattach(ifp, DLT_EN10MB, 14);
 		log_if = ifp;


>Release-Note:
>Audit-Trail:
>Unformatted: