Bug #1803
closed
ifconfig wlan0 create causes memory corruption
Added by Johannes.Hofmann over 14 years ago.
Updated about 14 years ago.
Description
When cloning an wlan interface with e.g
ifconfig wlan0 create wlandev ath0
a struct ifnet is allocated via if_alloc and then passed to
ether_ifattach_bpf() which writes beyond the struct ifnet.
This is especially a problem if struct ifnet size is close to a chunk
size of the slab allocator - as it happens with the recent pf update.
This was catched by guards I added to the slab allocator.
Cheers,
Johannes
:When cloning an wlan interface with e.g
: ifconfig wlan0 create wlandev ath0
:a struct ifnet is allocated via if_alloc and then passed to
:ether_ifattach_bpf() which writes beyond the struct ifnet.
:This is especially a problem if struct ifnet size is close to a chunk
:size of the slab allocator - as it happens with the recent pf update.
:This was catched by guards I added to the slab allocator.
:
:Cheers,
:Johannes
Ok, we need to track this down. I don't see anything in
ether_ifattach_bpf() itself that indexes past the end of the
ifnet, is it something ether_ifattach_bpf() calls or something
after ether_ifattach_bpf() returns? How much code do we have to
review here?
-Matt
Matthew Dillon
<dillon@backplane.com>
Matthew Dillon <dillon@apollo.backplane.com> wrote:
:When cloning an wlan interface with e.g
: ifconfig wlan0 create wlandev ath0
:a struct ifnet is allocated via if_alloc and then passed to
:ether_ifattach_bpf() which writes beyond the struct ifnet.
:This is especially a problem if struct ifnet size is close to a chunk
:size of the slab allocator - as it happens with the recent pf update.
:This was catched by guards I added to the slab allocator.
:
:Cheers,
:Johannes
Ok, we need to track this down. I don't see anything in
ether_ifattach_bpf() itself that indexes past the end of the
ifnet, is it something ether_ifattach_bpf() calls or something
after ether_ifattach_bpf() returns? How much code do we have to
review here?
It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
ifp is expected to be embedded in a struct arpcom, which is not the
case for the cloned wlan interface.
Cheers,
Johannes
:It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
:ifp is expected to be embedded in a struct arpcom, which is not the
:case for the cloned wlan interface.
:
:Cheers,
:Johannes
Ok, what I will do is adopt the changes FreeBSD made which is
to hang arpcom off of a pointer in the ifp instead of embedding
the ifnet in the arpcom.
-Matt
Matthew Dillon
<dillon@backplane.com>
Urk. Let me take that back. For the moment I'll change the wlan
code to declare an arpcom, then I'll take a look at how easy it
would be to convert all of our arpcoms to if_l2com.
-Matt
Has this been addressed yet?
Regards,
Alex
"Alex Hornung \(via DragonFly issue tracker\)" <sinknull@leaf.dragonflybsd.org> wrote:
Alex Hornung <ahornung@gmail.com> added the comment:
Has this been addressed yet?
Yes, there is a "temporary hack" that fixes it:
7e39593549a460369e7be716ca160d20932105fd
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by