From owner-freebsd-bugs Sat Oct 21 6: 0:11 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4A2F137B4D7 for ; Sat, 21 Oct 2000 06:00:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id GAA44399; Sat, 21 Oct 2000 06:00:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from yar.chem.msu.su (yar.chem.msu.ru [195.208.208.25]) by hub.freebsd.org (Postfix) with ESMTP id 87ABE37B4CF for ; Sat, 21 Oct 2000 05:52:52 -0700 (PDT) Received: (from yar@localhost) by yar.chem.msu.su (8.11.0/8.11.0) id e9LCqns00928; Sat, 21 Oct 2000 16:52:49 +0400 (MSD) (envelope-from yar) Message-Id: <200010211252.e9LCqns00928@yar.chem.msu.su> Date: Sat, 21 Oct 2000 16:52:49 +0400 (MSD) From: yar@comp.chem.msu.su Reply-To: yar@comp.chem.msu.su To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/22181: Bugs in the VLAN driver multicast manipulation code Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22181 >Category: kern >Synopsis: Bugs in the VLAN driver multicast manipulation code >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Oct 21 06:00:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Yar Tikhiy >Release: FreeBSD 4.1-STABLE i386 >Organization: Moscow State University >Environment: The bug shows up in all branches. >Description: First, the VLAN driver initialized the "sdl" structure in a wrong way in its function vlan_setmulti(). In particular, the sdl.sdl_nlen field is not explicitly set to zero, but it's then used inside the LLADDR() macro. Besides that, there are other "struct sockaddr_dl" fileds to set. Second, that function calls malloc() with the M_NOWAIT flag, but doesn't check its return value. The function won't run at the interrupt level, so it's safe to use M_WAITOK there. Both bugs may cause system panic. >How-To-Repeat: See the code. >Fix: --- if_vlan.c.orig Sat Oct 21 14:13:01 2000 +++ if_vlan.c Sat Oct 21 16:26:13 2000 @@ -118,8 +118,10 @@ sc = ifp->if_softc; ifp_p = sc->ifv_p; - sdl.sdl_len = ETHER_ADDR_LEN; + bzero((char *)&sdl, sizeof sdl); + sdl.sdl_len = sizeof sdl; sdl.sdl_family = AF_LINK; + sdl.sdl_alen = ETHER_ADDR_LEN; /* First, remove any existing filter entries. */ while(sc->vlan_mc_listhead.slh_first != NULL) { @@ -137,7 +139,7 @@ ifma != NULL;ifma = ifma->ifma_link.le_next) { if (ifma->ifma_addr->sa_family != AF_LINK) continue; - mc = malloc(sizeof(struct vlan_mc_entry), M_DEVBUF, M_NOWAIT); + mc = malloc(sizeof(struct vlan_mc_entry), M_DEVBUF, M_WAITOK); bcopy(LLADDR((struct sockaddr_dl *)ifma->ifma_addr), (char *)&mc->mc_addr, ETHER_ADDR_LEN); SLIST_INSERT_HEAD(&sc->vlan_mc_listhead, mc, mc_entries); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message