Date: Wed, 14 Jun 1995 15:40:01 -0700 From: Alan Bawden <Alan@Epilogue.Com> To: freebsd-bugs Subject: kern/512: writing to bpf(loopback) causes kernel panic Message-ID: <199506142240.PAA02858@freefall.cdrom.com> In-Reply-To: Your message of Wed, 14 Jun 1995 18:30:34 -0400 <199506142230.SAA00401@beandorf.epilogue.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>Number: 512
>Category: kern
>Synopsis: writing to bpf(loopback) causes kernel panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs (FreeBSD bugs mailing list)
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 14 15:40:00 1995
>Originator: Alan Bawden
>Organization:
>Release: FreeBSD 2.0-RELEASE i386
>Environment:
???
>Description:
Attaching the bpf device to the loopback interface, and then
attempting to write data always causes a kernel panic. It seems
to have nothing to do with the validity of the data being written,
although the example below is careful to write a valid ICMP packet.
>How-To-Repeat:
Compile and run the following program:
/* Bug: writing to bpf(loopback) causes kernel panic
* **DANGER** this -will- crash your machine!
*/
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <net/bpf.h>
/* Here is ping I captured off the loopback interface.
* Sending it out again shouldn't be a problem!
*/
char ping[] = {
0x02, 0x00, 0x00, 0x00, /* fix first word endianness later */
0x45, 0x00, 0x00, 0x54,
0xC7, 0xB5, 0x00, 0x00,
0xFF, 0x01, 0xF5, 0xF0, /* Protocol = ICMP */
0x7F, 0x00, 0x00, 0x01, /* 127.0.0.1 */
0x7F, 0x00, 0x00, 0x01, /* 127.0.0.1 */
0x08, 0x00, 0x09, 0x66, /* Type = ECHO */
0xBE, 0x03, 0x04, 0x00,
0x73, 0x51, 0xDF, 0x2F,
0xEC, 0x11, 0x03, 0x00,
0x08, 0x09, 0x0A, 0x0B,
0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13,
0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B,
0x1C, 0x1D, 0x1E, 0x1F,
0x20, 0x21, 0x22, 0x23,
0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2A, 0x2B,
0x2C, 0x2D, 0x2E, 0x2F,
0x30, 0x31, 0x32, 0x33,
0x34, 0x35, 0x36, 0x37
};
void
die(char *msg)
{
fprintf(stderr, "error %d: %s\n", errno, msg);
abort();
}
int
main(int argc, char **argv)
{
int bpf;
struct ifreq ifr;
bpf = open("/dev/bpf0", O_RDWR, 0666);
if (bpf < 0) die("open bpf0");
strncpy(ifr.ifr_name, "lo0", sizeof(ifr.ifr_name));
if (ioctl(bpf, BIOCSETIF, &ifr)) die("set interface");
* (u_long *) ping = PF_INET;
if (write(bpf, &ping, sizeof(ping)) != sizeof(ping)) die("write");
exit(0);
}
>Fix:
???
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506142240.PAA02858>