From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 18 05:20:02 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 37491866 for ; Thu, 18 Oct 2012 05:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id E87CF8FC0C for ; Thu, 18 Oct 2012 05:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9I5K1g7009506 for ; Thu, 18 Oct 2012 05:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9I5K1rR009505; Thu, 18 Oct 2012 05:20:01 GMT (envelope-from gnats) Resent-Date: Thu, 18 Oct 2012 05:20:01 GMT Resent-Message-Id: <201210180520.q9I5K1rR009505@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, fuzhli Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92A92816 for ; Thu, 18 Oct 2012 05:12:59 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 7A17F8FC08 for ; Thu, 18 Oct 2012 05:12:59 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9I5CwqX087510 for ; Thu, 18 Oct 2012 05:12:58 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id q9I5Cwq5087509; Thu, 18 Oct 2012 05:12:58 GMT (envelope-from nobody) Message-Id: <201210180512.q9I5Cwq5087509@red.freebsd.org> Date: Thu, 18 Oct 2012 05:12:58 GMT From: fuzhli To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/172840: memory overwrite if configure more than 128 multicast addresses on ixgbe NIC X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2012 05:20:02 -0000 >Number: 172840 >Category: kern >Synopsis: memory overwrite if configure more than 128 multicast addresses on ixgbe NIC >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 18 05:20:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: fuzhli >Release: FreeBSD7.0 >Organization: Array networks >Environment: FreeBSD7.0+ixgbe driver 2.3.10. %uname -a FreeBSD Array.arraynetworks.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 10:35:36 UTC 2008 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Memory will be overwrite if configure more than 128 multicast addresses on ixgbe NIC, and maybe cause system panic. >How-To-Repeat: configure more than 128 multicast addresses on ixgbe NIC >Fix: Index: src/sys/dev/ixgbe/ixgbe.c =================================================================== RCS file: /home/src/sys/dev/ixgbe/ixgbe.c,v retrieving revision 1.32.2.7 diff -u -p -r1.32.2.7 ixgbe.c --- FreeBSD/src/sys/dev/ixgbe/ixgbe.c 29 Sep 2012 06:58:41 -0000 1.32.2.7 +++ FreeBSD/src/sys/dev/ixgbe/ixgbe.c 17 Oct 2012 10:17:33 -0000 @@ -2072,6 +2072,10 @@ ixgbe_set_multi(struct adapter *adapter) TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { if (ifma->ifma_addr->sa_family != AF_LINK) continue; + if (mcnt == MAX_NUM_MULTICAST_ADDRESSES) + break; bcopy(LLADDR((struct sockaddr_dl *) ifma->ifma_addr), &mta[mcnt * IXGBE_ETH_LENGTH_OF_ADDRESS], IXGBE_ETH_LENGTH_OF_ADDRESS); >Release-Note: >Audit-Trail: >Unformatted: