Date: Wed, 14 Jun 1995 18:05:27 PDT From: Bill Fenner <fenner@parc.xerox.com> To: Alan Bawden <Alan@epilogue.com> Cc: freebsd-bugs@freefall.cdrom.com Subject: Re: kern/512: writing to bpf(loopback) causes kernel panic Message-ID: <95Jun14.180529pdt.49859@crevenia.parc.xerox.com> In-Reply-To: Your message of "Wed, 14 Jun 95 15:40:01 PDT." <199506142240.PAA02858@freefall.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multipart MIME message.
--===_0_Wed_Jun_14_17:46:23_PDT_1995
Content-Type: text/plain; charset=us-ascii
In message <199506142240.PAA02858@freefall.cdrom.com> you write:
> Attaching the bpf device to the loopback interface, and then
> attempting to write data always causes a kernel panic. It seems
> to have nothing to do with the validity of the data being written,
> although the example below is careful to write a valid ICMP packet.
Note that the BPF man page says
...Currently, only
writes to Ethernets and SLIP links are supported.
The panic is "looutput no HDR", and indeed, bpfwrite() doesn't build an mbuf
chain starting with an M_PKTHDR. In addition, looutput() needs special
handling for the AF_UNSPEC case.
(I'd be willing to bet that SLIP, PPP, TUN, and perhaps others also need
special handling...)
Try these patches.
(bpf should arguably know about the existance of the address family at the
beginning of the written packet, but that doesn't change the user interface,
just the bpf->if_loop interface. I'm trying to figure out why in the world
the interface is allowed to specify the header size to bpf on attach() but
during write() the size is hardcoded. sigh.)
Bill
% tcpdump -x -v -i lo0 &
% tcpdump: listening on lo0
./crash
% 00:44:46.565013 localhost > localhost: icmp: echo request (ttl 255, id 51125)
4500 0054 c7b5 0000 ff01 f5f0 7f00 0001
7f00 0001 0800 0966 be03 0400 7351 df2f
ec11 0300 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
00:44:46.565684 localhost > localhost: icmp: echo reply (ttl 255, id 770)
4500 0054 0302 0000 ff01 baa4 7f00 0001
7f00 0001 0000 1166 be03 0400 7351 df2f
ec11 0300 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
--===_0_Wed_Jun_14_17:46:23_PDT_1995
Content-Type: text/plain; charset=us-ascii
Content-Description: bpf.c.diff
*** net/bpf.c.orig Thu Jun 15 00:11:41 1995
--- net/bpf.c Thu Jun 15 00:12:14 1995
***************
*** 192,201 ****
if ((unsigned)len > MCLBYTES)
return (EIO);
! MGET(m, M_WAIT, MT_DATA);
if (m == 0)
return (ENOBUFS);
! if (len > MLEN) {
#if BSD >= 199103
MCLGET(m, M_WAIT);
if ((m->m_flags & M_EXT) == 0) {
--- 192,201 ----
if ((unsigned)len > MCLBYTES)
return (EIO);
! MGETHDR(m, M_WAIT, MT_DATA);
if (m == 0)
return (ENOBUFS);
! if (len > MHLEN) {
#if BSD >= 199103
MCLGET(m, M_WAIT);
if ((m->m_flags & M_EXT) == 0) {
***************
*** 207,213 ****
goto bad;
}
}
! m->m_len = len;
*mp = m;
/*
* Make room for link header.
--- 207,214 ----
goto bad;
}
}
! m->m_pkthdr.len = m->m_len = len;
! m->m_pkthdr.rcvif = NULL;
*mp = m;
/*
* Make room for link header.
--===_0_Wed_Jun_14_17:46:23_PDT_1995
Content-Type: text/plain; charset=us-ascii
Content-Description: if_loop.c.diff
*** net/if_loop.c.orig Wed Jun 14 23:44:44 1995
--- net/if_loop.c Thu Jun 15 00:39:54 1995
***************
*** 124,129 ****
--- 124,137 ----
panic("looutput no HDR");
ifp->if_lastchange = time;
#if NBPFILTER > 0
+ /* BPF write needs to be handled specially */
+ if (dst->sa_family == AF_UNSPEC) {
+ dst->sa_family = *(mtod(m, int *));
+ m->m_len -= 4;
+ m->m_pkthdr.len -= 4;
+ m->m_data += 4;
+ }
+
if (ifp->if_bpf) {
/*
* We need to prepend the address family as
--===_0_Wed_Jun_14_17:46:23_PDT_1995--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?95Jun14.180529pdt.49859>