Date: Tue, 7 Jan 1997 21:37:10 -0800 (PST) From: seki@sysrap.cs.fujitsu.co.jp To: freebsd-gnats-submit@freebsd.org Subject: kern/2415: Writing into bpf makes a malformed mbuf delivered to Ethernet driver Message-ID: <199701080537.VAA13925@freefall.freebsd.org> Resent-Message-ID: <199701080540.VAA14118@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2415
>Category: kern
>Synopsis: Writing into bpf makes a malformed mbuf delivered to Ethernet driver
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 7 21:40:00 PST 1997
>Last-Modified:
>Originator: Masahiro Sekiguchi
>Organization:
Fujitsu Limited
>Release: 2.2 BETA
>Environment:
>Description:
When debugging PAO portion of my if_fe driver, I found the driver
receive packets stored in malformed mbuf to send out. That is,
m_pkthdr.len in the first mbuf was 14 bytes larger than the sum
of m_len values in the chain.
The fe driver relies on m_pkthdr.len, and, if such packets come
when the transmission packet queue is long, (e.g., heavy network
load,) the driver will crush.
After analyzing the case, I found the malformed packets came
from dhcpc daemon of WIDE dhcp package through bpfilter
device. all packets from dhcpc seemed to have 14 bytes larger
value stored in m_pkthdr.len.
I'm not completely sure yet, but I guess it is a bug in bpf.c
>How-To-Repeat:
Run dhcpc in WIDE dhcp (which is available as a part of 2.2 packages) with any Ethernet driver.
With ddb (or any other kernel debugger), catch an mbuf from
dhcpc at the entry to the Ethernet driver (DEVICE_start routine.)
Dump the mbuf.
>Fix:
I suggest the following patch to sys/net/bpf.c:
--- bpf.old.c Wed Jan 8 13:22:26 1997
+++ bpf.c Wed Jan 8 13:26:12 1997
@@ -227,6 +227,7 @@
* Make room for link header.
*/
if (hlen != 0) {
+ m->m_pkthdr.len -= hlen;
m->m_len -= hlen;
#if BSD >= 199103
m->m_data += hlen; /* XXX */
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701080537.VAA13925>