From yar@yar.chem.msu.su  Sat Oct 21 05:52:56 2000
Return-Path: <yar@yar.chem.msu.su>
Received: from yar.chem.msu.su (yar.chem.msu.ru [195.208.208.25])
	by hub.freebsd.org (Postfix) with ESMTP id 87ABE37B4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 21 Oct 2000 05:52:52 -0700 (PDT)
Received: (from yar@localhost)
	by yar.chem.msu.su (8.11.0/8.11.0) id e9LCqns00928;
	Sat, 21 Oct 2000 16:52:49 +0400 (MSD)
	(envelope-from yar)
Message-Id: <200010211252.e9LCqns00928@yar.chem.msu.su>
Date: Sat, 21 Oct 2000 16:52:49 +0400 (MSD)
From: yar@comp.chem.msu.su
Sender: yar@yar.chem.msu.su
Reply-To: yar@comp.chem.msu.su
To: FreeBSD-gnats-submit@freebsd.org
Subject: Bugs in the VLAN driver multicast manipulation code
X-Send-Pr-Version: 3.2

>Number:         22181
>Category:       kern
>Synopsis:       Bugs in the VLAN driver multicast manipulation code
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 21 06:00:01 PDT 2000
>Closed-Date:    Sat Mar 31 03:05:30 PST 2001
>Last-Modified:  Sat Mar 31 03:07:22 PST 2001
>Originator:     Yar Tikhiy
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
Moscow State University
>Environment:

	The bug shows up in all branches.

>Description:

	First, the VLAN driver initialized the "sdl" structure
	in a wrong way in its function vlan_setmulti().
	In particular, the sdl.sdl_nlen field is not explicitly
	set to zero, but it's then used inside the LLADDR() macro.
	Besides that, there are other "struct sockaddr_dl" fileds
	to set.

	Second, that function calls malloc() with the M_NOWAIT
	flag, but doesn't check its return value. The function
	won't run at the interrupt level, so it's safe to use
	M_WAITOK there.

	Both bugs may cause system panic.

>How-To-Repeat:

	See the code.

>Fix:

--- if_vlan.c.orig	Sat Oct 21 14:13:01 2000
+++ if_vlan.c	Sat Oct 21 16:26:13 2000
@@ -118,8 +118,10 @@
 	sc = ifp->if_softc;
 	ifp_p = sc->ifv_p;
 
-	sdl.sdl_len = ETHER_ADDR_LEN;
+	bzero((char *)&sdl, sizeof sdl);
+	sdl.sdl_len = sizeof sdl;
 	sdl.sdl_family = AF_LINK;
+	sdl.sdl_alen = ETHER_ADDR_LEN;
 
 	/* First, remove any existing filter entries. */
 	while(sc->vlan_mc_listhead.slh_first != NULL) {
@@ -137,7 +139,7 @@
 	    ifma != NULL;ifma = ifma->ifma_link.le_next) {
 		if (ifma->ifma_addr->sa_family != AF_LINK)
 			continue;
-		mc = malloc(sizeof(struct vlan_mc_entry), M_DEVBUF, M_NOWAIT);
+		mc = malloc(sizeof(struct vlan_mc_entry), M_DEVBUF, M_WAITOK);
 		bcopy(LLADDR((struct sockaddr_dl *)ifma->ifma_addr),
 		    (char *)&mc->mc_addr, ETHER_ADDR_LEN);
 		SLIST_INSERT_HEAD(&sc->vlan_mc_listhead, mc, mc_entries);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: yar 
State-Changed-When: Sat Mar 31 03:05:30 PST 2001 
State-Changed-Why:  
Fixed in both branches 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22181 
>Unformatted:
