Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Mar 1997 22:38:04 -0500 (EST)
From:      <gbuchanan@sympatico.ca>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/2990: DEC FDDI is a little *too* promiscuous
Message-ID:  <199703150338.WAA00473@localhost.on.sympatico.ca>
Resent-Message-ID: <199703150340.TAA02709@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2990
>Category:       kern
>Synopsis:       DEC FDDI is a little *too* promiscuous
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 14 19:40:01 PST 1997
>Last-Modified:
>Originator:     Gardner Buchanan
>Organization:
Gardner Buchanan    <gbuchanan@sympatico.ca>
Ottawa, ON
>Release:        FreeBSD 2.1 and others
>Environment:

DEC FDDI adapter operating in promiscuous mode
Several versions of FreeBSD, and probably other BSDs as well.

pdq_ifsubr.c:
     $Id: pdq_ifsubr.c,v 1.8 1996/07/31 21:38:44 thomas Exp $

>Description:

I noticed that the DEC FDDI driver (if_fpa, if_pdq) does not 
correctly validate incoming frames against the hardware address 
when the interface is promiscuous.  If IP packet forwarding is
turned on, this results in the whole FDDI being sucked up and pushed
out the default route.  Talk about drinking from a firehose.

I doubt that this is intentional.  The Ethernet drivers seem to 
have code to match incoming frames to the physical address - or a
multi/broadcast address - and only pass the matching frames to the
higher level protocols.

>How-To-Repeat:

Send your default route over an Ethernet, hook your FDDI interface
to a busy network and put it in promiscuous mode.  Watch your Ethernet
get busy all of a sudden.  Panic.

>Fix:
	
Add a verification of the destination hardware address such as can be
see at line 2303 of if_de.c:

     $Id: if_de.c,v 1.29.2.7 1996/11/10 13:35:49 davidg Exp $

     if ((sc->tulip_if.if_flags & IFF_PROMISC)
          && (eh.ether_dhost[0] & 1) == 0
          && !TULIP_ADDREQUAL(eh.ether_dhost, sc->tulip_ac.ac_enaddr))
          goto next;

to the FDDI driver module pdq_ifsubr.c ($Id: pdq_ifsubr.c,v 1.8 1996/07/31
21:38:44 thomas Exp $) somewhere near line 202.
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703150338.WAA00473>