From alan@beandorf.epilogue.com  Wed Jun 14 15:30:43 1995
Received: from beandorf.epilogue.com (beandorf.epilogue.com [128.224.1.153])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id PAA02475
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 14 Jun 1995 15:30:36 -0700
Received: (from alan@localhost) by beandorf.epilogue.com (8.6.9/8.6.9) id SAA00401; Wed, 14 Jun 1995 18:30:34 -0400
Message-Id: <199506142230.SAA00401@beandorf.epilogue.com>
Date: Wed, 14 Jun 1995 18:30:34 -0400
From: Alan Bawden <Alan@Epilogue.Com>
Reply-To: Alan@Epilogue.Com
To: FreeBSD-gnats-submit@freebsd.org
Subject: writing to bpf(loopback) causes kernel panic
X-Send-Pr-Version: 3.2

>Number:         512
>Category:       kern
>Synopsis:       writing to bpf(loopback) causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 14 15:40:00 1995
>Closed-Date:    Fri Sep 22 10:58:24 PDT 1995
>Last-Modified:  Fri Sep 22 10:59:35 PDT 1995
>Originator:     Alan Bawden
>Release:        FreeBSD 2.0-RELEASE i386
>Organization:
>Environment:

	???

>Description:

	Attaching the bpf device to the loopback interface, and then
	attempting to write data always causes a kernel panic.  It seems
	to have nothing to do with the validity of the data being written,
	although the example below is careful to write a valid ICMP packet.

>How-To-Repeat:

	Compile and run the following program:

	/* Bug: writing to bpf(loopback) causes kernel panic
	 * **DANGER** this -will- crash your machine!
	 */

	#include <stdlib.h>
	#include <stdio.h>
	#include <stdarg.h>
	#include <string.h>
	#include <errno.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>
	#include <net/if.h>
	#include <net/bpf.h>

	/* Here is ping I captured off the loopback interface.
	 * Sending it out again shouldn't be a problem!
	 */
	char ping[] = {
	  0x02, 0x00, 0x00, 0x00,	/* fix first word endianness later */
	  0x45, 0x00, 0x00, 0x54,
	  0xC7, 0xB5, 0x00, 0x00,
	  0xFF, 0x01, 0xF5, 0xF0,	/* Protocol = ICMP */
	  0x7F, 0x00, 0x00, 0x01,	/* 127.0.0.1 */
	  0x7F, 0x00, 0x00, 0x01,	/* 127.0.0.1 */
	  0x08, 0x00, 0x09, 0x66,	/* Type = ECHO */
	  0xBE, 0x03, 0x04, 0x00,
	  0x73, 0x51, 0xDF, 0x2F,
	  0xEC, 0x11, 0x03, 0x00,
	  0x08, 0x09, 0x0A, 0x0B,
	  0x0C, 0x0D, 0x0E, 0x0F,
	  0x10, 0x11, 0x12, 0x13,
	  0x14, 0x15, 0x16, 0x17,
	  0x18, 0x19, 0x1A, 0x1B,
	  0x1C, 0x1D, 0x1E, 0x1F,
	  0x20, 0x21, 0x22, 0x23,
	  0x24, 0x25, 0x26, 0x27,
	  0x28, 0x29, 0x2A, 0x2B,
	  0x2C, 0x2D, 0x2E, 0x2F,
	  0x30, 0x31, 0x32, 0x33,
	  0x34, 0x35, 0x36, 0x37
	  };

	void
	die(char *msg)
	{
	  fprintf(stderr, "error %d: %s\n", errno, msg);
	  abort();
	}

	int
	main(int argc, char **argv)
	{
	  int bpf;
	  struct ifreq ifr;

	  bpf = open("/dev/bpf0", O_RDWR, 0666);
	  if (bpf < 0) die("open bpf0");
	  strncpy(ifr.ifr_name, "lo0", sizeof(ifr.ifr_name));
	  if (ioctl(bpf, BIOCSETIF, &ifr)) die("set interface");

	  * (u_long *) ping = PF_INET;
	  if (write(bpf, &ping, sizeof(ping)) != sizeof(ping)) die("write");

	  exit(0);
	}

>Fix:
	
	???
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Fri Sep 22 10:58:24 PDT 1995 
State-Changed-Why:  
Fix from Bill Fenner applied: 

Checking in bpf.c; 
/home/ncvs/src/sys/net/bpf.c,v  <--  bpf.c 
new revision: 1.13; previous revision: 1.12 
done 
Checking in if.c; 
/home/ncvs/src/sys/net/if.c,v  <--  if.c 
new revision: 1.20; previous revision: 1.19 
done 
Checking in if_disc.c; 
/home/ncvs/src/sys/net/if_disc.c,v  <--  if_disc.c 
new revision: 1.7; previous revision: 1.6 
done 
Checking in if_loop.c; 
/home/ncvs/src/sys/net/if_loop.c,v  <--  if_loop.c 
new revision: 1.13; previous revision: 1.12 
done 

>Unformatted:


