Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Jun 1995 15:40:01 -0700
From:      Alan Bawden <Alan@Epilogue.Com>
To:        freebsd-bugs
Subject:   kern/512: writing to bpf(loopback) causes kernel panic
Message-ID:  <199506142240.PAA02858@freefall.cdrom.com>
In-Reply-To: Your message of Wed, 14 Jun 1995 18:30:34 -0400 <199506142230.SAA00401@beandorf.epilogue.com>
index | next in thread | previous in thread | raw e-mail 


>Number:         512
>Category:       kern
>Synopsis:       writing to bpf(loopback) causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 14 15:40:00 1995
>Originator:     Alan Bawden
>Organization:
>Release:        FreeBSD 2.0-RELEASE i386
>Environment:

	???

>Description:

	Attaching the bpf device to the loopback interface, and then
	attempting to write data always causes a kernel panic.  It seems
	to have nothing to do with the validity of the data being written,
	although the example below is careful to write a valid ICMP packet.

>How-To-Repeat:

	Compile and run the following program:

	/* Bug: writing to bpf(loopback) causes kernel panic
	 * **DANGER** this -will- crash your machine!
	 */

	#include <stdlib.h>
	#include <stdio.h>
	#include <stdarg.h>
	#include <string.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>
	#include <net/if.h>
	#include <net/bpf.h>

	/* Here is ping I captured off the loopback interface.
	 * Sending it out again shouldn't be a problem!
	 */
	char ping[] = {
	  0x02, 0x00, 0x00, 0x00,	/* fix first word endianness later */
	  0x45, 0x00, 0x00, 0x54,
	  0xC7, 0xB5, 0x00, 0x00,
	  0xFF, 0x01, 0xF5, 0xF0,	/* Protocol = ICMP */
	  0x7F, 0x00, 0x00, 0x01,	/* 127.0.0.1 */
	  0x7F, 0x00, 0x00, 0x01,	/* 127.0.0.1 */
	  0x08, 0x00, 0x09, 0x66,	/* Type = ECHO */
	  0xBE, 0x03, 0x04, 0x00,
	  0x73, 0x51, 0xDF, 0x2F,
	  0xEC, 0x11, 0x03, 0x00,
	  0x08, 0x09, 0x0A, 0x0B,
	  0x0C, 0x0D, 0x0E, 0x0F,
	  0x10, 0x11, 0x12, 0x13,
	  0x14, 0x15, 0x16, 0x17,
	  0x18, 0x19, 0x1A, 0x1B,
	  0x1C, 0x1D, 0x1E, 0x1F,
	  0x20, 0x21, 0x22, 0x23,
	  0x24, 0x25, 0x26, 0x27,
	  0x28, 0x29, 0x2A, 0x2B,
	  0x2C, 0x2D, 0x2E, 0x2F,
	  0x30, 0x31, 0x32, 0x33,
	  0x34, 0x35, 0x36, 0x37
	  };

	void
	die(char *msg)
	{
	  fprintf(stderr, "error %d: %s\n", errno, msg);
	  abort();
	}

	int
	main(int argc, char **argv)
	{
	  int bpf;
	  struct ifreq ifr;

	  bpf = open("/dev/bpf0", O_RDWR, 0666);
	  if (bpf < 0) die("open bpf0");
	  strncpy(ifr.ifr_name, "lo0", sizeof(ifr.ifr_name));
	  if (ioctl(bpf, BIOCSETIF, &ifr)) die("set interface");

	  * (u_long *) ping = PF_INET;
	  if (write(bpf, &ping, sizeof(ping)) != sizeof(ping)) die("write");

	  exit(0);
	}

>Fix:
	
	???
>Audit-Trail:
>Unformatted:
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506142240.PAA02858>