DragonFly bugs List (threaded) for 2010-08
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: ifconfig wlan0 create causes memory corruption

From:	Johannes Hofmann <johannes.hofmann@xxxxxx>
Date:	14 Aug 2010 06:52:02 GMT

Matthew Dillon <dillon@apollo.backplane.com> wrote:
> 
> :When cloning an wlan interface with e.g
> :       ifconfig wlan0 create wlandev ath0
> :a struct ifnet is allocated via if_alloc and then passed to
> :ether_ifattach_bpf() which writes beyond the struct ifnet.
> :This is especially a problem if struct ifnet size is close to a chunk
> :size of the slab allocator - as it happens with the recent pf update.
> :This was catched by guards I added to the slab allocator.
> :
> :Cheers,
> :Johannes
> 
>    Ok, we need to track this down.  I don't see anything in
>    ether_ifattach_bpf() itself that indexes past the end of the
>    ifnet, is it something ether_ifattach_bpf() calls or something
>    after ether_ifattach_bpf() returns?  How much code do we have to
>    review here?

It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
ifp is expected to be embedded in a struct arpcom, which is not the
case for the cloned wlan interface.

Cheers,
Johannes

Follow-Ups:
- Re: ifconfig wlan0 create causes memory corruption
  - From: Matthew Dillon <dillon@apollo.backplane.com>
- Re: ifconfig wlan0 create causes memory corruption
  - From: Matthew Dillon <dillon@apollo.backplane.com>

References:
- ifconfig wlan0 create causes memory corruption
  - From: Johannes Hofmann <johannes.hofmann@gmx.de>
- Re: ifconfig wlan0 create causes memory corruption
  - From: Matthew Dillon <dillon@apollo.backplane.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]