Date: Mon, 14 Apr 2008 09:45:33 -0700 From: "Maksim Yevmenkin" <maksim.yevmenkin@gmail.com> To: "=?ISO-8859-1?Q?Marc_L=F6rner?=" <marc.loerner@hob.de> Cc: freebsd-net@freebsd.org Subject: Re: problem in if_tap.c Message-ID: <bb4a86c70804140945m34a7a612s476025d1888d382f@mail.gmail.com> In-Reply-To: <200804141033.35918.marc.loerner@hob.de> References: <200804141033.35918.marc.loerner@hob.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 14, 2008 at 1:33 AM, Marc L=F6rner <marc.loerner@hob.de> wrote:
> Hello,
> I found the following problem in the if_tap-device code in function tapc=
reate
> when used on 64-bit systems:
>
> TAPDEBUG("tapcreate(%s%d). minor =3D %#x\n", name, unit, minor(dev=
));
>
> /* generate fake MAC address: 00 bd xx xx xx unit_no */
> macaddr_hi =3D htons(0x00bd);
> bcopy(&macaddr_hi, eaddr, sizeof(short));
>
> ---->
> bcopy(&ticks, &eaddr[2], sizeof(long));
> eaddr[5] =3D (u_char)unit;
>
> /* fill the rest and attach interface */
>
> sizeof(long) is not always 4 on any system (e.g. on ia64 it's 8)
> =3D> bytes are copied from undefined memory into undefined memory
please try the following patch. if there is no objections, i will commit it
beetle# diff -u if_tap.c.orig if_tap.c
--- if_tap.c.orig 2007-04-05 10:58:39.000000000 -0700
+++ if_tap.c 2008-04-14 09:42:42.000000000 -0700
@@ -404,6 +404,7 @@
struct ifnet *ifp =3D NULL;
struct tap_softc *tp =3D NULL;
unsigned short macaddr_hi;
+ uint32_t macaddr_mid;
int unit, s;
char *name =3D NULL;
u_char eaddr[6];
@@ -432,8 +433,9 @@
/* generate fake MAC address: 00 bd xx xx xx unit_no */
macaddr_hi =3D htons(0x00bd);
+ macaddr_mid =3D (uint32_t) ticks;
bcopy(&macaddr_hi, eaddr, sizeof(short));
- bcopy(&ticks, &eaddr[2], sizeof(long));
+ bcopy(&macaddr_mid, &eaddr[2], sizeof(uint32_t));
eaddr[5] =3D (u_char)unit;
/* fill the rest and attach interface */
thanks,
max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb4a86c70804140945m34a7a612s476025d1888d382f>