DragonFly BSD
DragonFly bugs List (threaded) for 2010-08
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: ifconfig wlan0 create causes memory corruption


From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Aug 2010 18:58:57 -0700 (PDT)

:When cloning an wlan interface with e.g
:	ifconfig wlan0 create wlandev ath0
:a struct ifnet is allocated via if_alloc and then passed to
:ether_ifattach_bpf() which writes beyond the struct ifnet.
:This is especially a problem if struct ifnet size is close to a chunk
:size of the slab allocator - as it happens with the recent pf update.
:This was catched by guards I added to the slab allocator.
:
:Cheers,
:Johannes

    Ok, we need to track this down.  I don't see anything in
    ether_ifattach_bpf() itself that indexes past the end of the
    ifnet, is it something ether_ifattach_bpf() calls or something
    after ether_ifattach_bpf() returns?  How much code do we have to
    review here?

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]