From nobody  Tue Jan  7 21:37:10 1997
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id VAA13925;
          Tue, 7 Jan 1997 21:37:10 -0800 (PST)
Message-Id: <199701080537.VAA13925@freefall.freebsd.org>
Date: Tue, 7 Jan 1997 21:37:10 -0800 (PST)
From: seki@sysrap.cs.fujitsu.co.jp
To: freebsd-gnats-submit@freebsd.org
Subject: Writing into bpf makes a malformed mbuf delivered to Ethernet driver 
X-Send-Pr-Version: www-1.0

>Number:         2415
>Category:       kern
>Synopsis:       Writing into bpf makes a malformed mbuf delivered to Ethernet driver
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan  7 21:40:00 PST 1997
>Closed-Date:    Wed Jan 8 06:17:38 PST 1997
>Last-Modified:  Wed Jan  8 06:18:11 PST 1997
>Originator:     Masahiro Sekiguchi
>Release:        2.2 BETA
>Organization:
Fujitsu Limited
>Environment:
>Description:
When debugging PAO portion of my if_fe driver, I found the driver
receive packets stored in malformed mbuf to send out.  That is,
m_pkthdr.len in the first mbuf was 14 bytes larger than the sum
of m_len values in the chain.

The fe driver relies on m_pkthdr.len, and, if such packets come
when the transmission packet queue is long, (e.g., heavy network
load,) the driver will crush.

After analyzing the case, I found the malformed packets came
from dhcpc daemon of WIDE dhcp package through bpfilter
device.  all packets from dhcpc seemed to have 14 bytes larger
value stored in m_pkthdr.len.

I'm not completely sure yet, but I guess it is a bug in bpf.c

>How-To-Repeat:
Run dhcpc in WIDE dhcp (which is available as a part of 2.2 packages) with any Ethernet driver.

With ddb (or any other kernel debugger), catch an mbuf from
dhcpc at the entry to the Ethernet driver (DEVICE_start routine.)

Dump the mbuf.

>Fix:
I suggest the following patch to sys/net/bpf.c:

--- bpf.old.c	Wed Jan  8 13:22:26 1997
+++ bpf.c	Wed Jan  8 13:26:12 1997
@@ -227,6 +227,7 @@
 	 * Make room for link header.
 	 */
 	if (hlen != 0) {
+		m->m_pkthdr.len -= hlen;
 		m->m_len -= hlen;
 #if BSD >= 199103
 		m->m_data += hlen; /* XXX */

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Wed Jan 8 06:17:38 PST 1997 
State-Changed-Why:  
Adoped in rev 1.27 of bpf.c. 
>Unformatted:
