Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Aug 2010 16:16:16 GMT
From:      Dmitrij Tejblum <tejblum@yandex-team.ru>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/149807: [patch] [ipfw] panic due to bpf write to ipfw interface
Message-ID:  <201008191616.o7JGGGtF021749@www.freebsd.org>
Resent-Message-ID: <201008191620.o7JGK1PC019103@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         149807
>Category:       kern
>Synopsis:       [patch] [ipfw] panic due to bpf write to ipfw interface
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 16:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitrij Tejblum
>Release:        8.1-STABLE
>Organization:
OOO Yandex
>Environment:
>Description:
ipfw create a pseudo-interface named ipfw0. It looks pretty much like an ethernet interface. If a program attach a bpf to the interface and send a multicast packet via it, a panic will occur.

(Of course, sending packets to the ipfw0 interface is not useful. But some programs may do it. E.g., an CDP or LLDP daemon by default would try to send its packets to all interfaces in the systems, including ipfw0, if it's configured.)

The cause of the panic is unitialized `if_broadcastaddr' field of the ipfw0's ifnet struct. The field is supposed to be initialized, and it is used in e.g. sys/net/bpf.c
>How-To-Repeat:
On a system with ipfw configured, install net-mgmt/openlldp port, run lldpd, and wait for a minute or so.
>Fix:


Patch attached with submission follows:

--- sys/netinet/ipfw/ip_fw_log.c	2010-03-23 12:58:59.000000000 +0300
+++ sys/netinet/ipfw/ip_fw_log.c	2010-08-19 19:33:39.000000000 +0400
@@ -103,6 +103,9 @@ log_dummy(struct ifnet *ifp, u_long cmd,
 	return EINVAL;
 }
 
+static const u_char ipfwbroadcastaddr[6] =
+                        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+                        
 void
 ipfw_log_bpf(int onoff)
 {
@@ -124,6 +127,7 @@ ipfw_log_bpf(int onoff)
 		ifp->if_addrlen = 6;
 		ifp->if_hdrlen = 14;
 		if_attach(ifp);
+		ifp->if_broadcastaddr = ipfwbroadcastaddr;
 		ifp->if_baudrate = IF_Mbps(10);
 		bpfattach(ifp, DLT_EN10MB, 14);
 		log_if = ifp;


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008191616.o7JGGGtF021749>