From owner-freebsd-bugs  Wed Jan  8 12:40: 6 2003
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD11A37B401
	for <freebsd-bugs@hub.freebsd.org>; Wed,  8 Jan 2003 12:40:03 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C20DE43EEC
	for <freebsd-bugs@hub.freebsd.org>; Wed,  8 Jan 2003 12:40:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h08Ke2NS051391
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 8 Jan 2003 12:40:02 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h08Ke2a2051390;
	Wed, 8 Jan 2003 12:40:02 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AA6D37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Jan 2003 12:34:06 -0800 (PST)
Received: from dirty.research.bell-labs.com (dirty.research.bell-labs.com [204.178.16.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3B94143EB2
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Jan 2003 12:34:05 -0800 (PST)
	(envelope-from dong@research.bell-labs.com)
Received: from grubby.research.bell-labs.com (H-135-104-2-9.research.bell-labs.com [135.104.2.9])
	by dirty.research.bell-labs.com (8.12.5/8.12.5) with ESMTP id h08KXthN058655
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 8 Jan 2003 15:33:55 -0500 (EST)
Received: from doom-11.cs.bell-labs.com (doom-11.cs.bell-labs.com [135.104.9.224])
	by grubby.research.bell-labs.com (8.11.6/8.11.6) with ESMTP id h08KXnY29992
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 8 Jan 2003 15:33:49 -0500 (EST)
Received: (from dong@localhost)
	by doom-11.cs.bell-labs.com (8.12.6/8.12.6/Submit) id h08KXntX003217;
	Wed, 8 Jan 2003 15:33:49 -0500 (EST)
Message-Id: <200301082033.h08KXntX003217@doom-11.cs.bell-labs.com>
Date: Wed, 8 Jan 2003 15:33:49 -0500 (EST)
From: Dong Lin <dong@research.bell-labs.com>
Reply-To: Dong Lin <dong@research.bell-labs.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/46881: ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         46881
>Category:       kern
>Synopsis:       ether_input casts m_hdr to mbuf and causes bpf_mtap to access random data
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 08 12:40:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dong Lin
>Release:        FreeBSD 4.7-RELEASE i386 (also present in 5.0-current)
>Organization:
>Environment:
System: FreeBSD doom-11.cs.bell-labs.com 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Thu Oct 31 17:21:42 EST 2002 dong@char.research.bell-labs.com:/.amd_mnt/bopp/home/dong/FreeBSD/4.7/compile/DISKLESS.SMP i386


>Description:

There is a bug in ether_input's handling of bpf_mtap. It passes an
m_hdr to bpf_mtap as the head of an mbuf chain. But bpf_mtap touches
beyond m_hdr. Fortunately, that code is only used if the user program
clears SEESENT.

I am running 4.7-release. But I see the same code in 5.0-current.

>How-To-Repeat:
add the following lines to the user bpf program:

	if(ioctl(pd->fd, BIOCSSEESENT, &no) < 0){
		perror("BIOCSSEESENT");
	}

>Fix:
--- if_ethersubr.c	Wed Jan  8 15:30:12 2003
+++ /sys/net/if_ethersubr.c	Fri Aug 30 10:23:38 2002
@@ -569,13 +569,13 @@
 
 	/* Check for a BPF tap */
 	if (ifp->if_bpf != NULL) {
-		struct mbuf mb;
+		struct m_hdr mh;
 
-		mb.m_next = m;
-		mb.m_data = (char *)eh;
-		mb.m_len = ETHER_HDR_LEN;
-		mb.m_pkthdr.rcvif = m->m_pkthdr.rcvif;
-		bpf_mtap(ifp, (struct mbuf *)&mb);
+		/* This kludge is OK; BPF treats the "mbuf" as read-only */
+		mh.mh_next = m;
+		mh.mh_data = (char *)eh;
+		mh.mh_len = ETHER_HDR_LEN;
+		bpf_mtap(ifp, (struct mbuf *)&mh);
 	}
 
 	ifp->if_ibytes += m->m_pkthdr.len + sizeof (*eh);

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message