DragonFly bugs List (threaded) for 2010-08
Re: ifconfig wlan0 create causes memory corruption
Matthew Dillon <firstname.lastname@example.org> wrote:
> :When cloning an wlan interface with e.g
> : ifconfig wlan0 create wlandev ath0
> :a struct ifnet is allocated via if_alloc and then passed to
> :ether_ifattach_bpf() which writes beyond the struct ifnet.
> :This is especially a problem if struct ifnet size is close to a chunk
> :size of the slab allocator - as it happens with the recent pf update.
> :This was catched by guards I added to the slab allocator.
> Ok, we need to track this down. I don't see anything in
> ether_ifattach_bpf() itself that indexes past the end of the
> ifnet, is it something ether_ifattach_bpf() calls or something
> after ether_ifattach_bpf() returns? How much code do we have to
> review here?
It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment.
ifp is expected to be embedded in a struct arpcom, which is not the
case for the cloned wlan interface.