From nobody@FreeBSD.org  Thu Oct 18 05:12:59 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 92A92816
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Oct 2012 05:12:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A17F8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Oct 2012 05:12:59 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9I5CwqX087510
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Oct 2012 05:12:58 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q9I5Cwq5087509;
	Thu, 18 Oct 2012 05:12:58 GMT
	(envelope-from nobody)
Message-Id: <201210180512.q9I5Cwq5087509@red.freebsd.org>
Date: Thu, 18 Oct 2012 05:12:58 GMT
From: fuzhli <fuzl@arraynetworks.com.cn>
To: freebsd-gnats-submit@FreeBSD.org
Subject: memory overwrite if configure more than 128 multicast addresses on ixgbe NIC
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         172840
>Category:       kern
>Synopsis:       memory overwrite if configure more than 128 multicast addresses on ixgbe NIC
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 18 05:20:01 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     fuzhli
>Release:        FreeBSD7.0
>Organization:
Array networks
>Environment:
FreeBSD7.0+ixgbe driver 2.3.10.

%uname -a
FreeBSD Array.arraynetworks.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 10:35:36 UTC 2008     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Memory will be overwrite if configure more than 128 multicast addresses on ixgbe NIC, and maybe cause system panic.
>How-To-Repeat:
configure more than 128 multicast addresses on ixgbe NIC
>Fix:
Index: src/sys/dev/ixgbe/ixgbe.c
===================================================================
RCS file: /home/src/sys/dev/ixgbe/ixgbe.c,v
retrieving revision 1.32.2.7
diff -u -p -r1.32.2.7 ixgbe.c
--- FreeBSD/src/sys/dev/ixgbe/ixgbe.c	29 Sep 2012 06:58:41 -0000	1.32.2.7
+++ FreeBSD/src/sys/dev/ixgbe/ixgbe.c	17 Oct 2012 10:17:33 -0000
@@ -2072,6 +2072,10 @@ ixgbe_set_multi(struct adapter *adapter)
 	TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) {
 		if (ifma->ifma_addr->sa_family != AF_LINK)
 			continue;
+		if (mcnt == MAX_NUM_MULTICAST_ADDRESSES)
+			break;
 		bcopy(LLADDR((struct sockaddr_dl *) ifma->ifma_addr),
 		    &mta[mcnt * IXGBE_ETH_LENGTH_OF_ADDRESS],
 		    IXGBE_ETH_LENGTH_OF_ADDRESS);

>Release-Note:
>Audit-Trail:
>Unformatted:
