Hi, It seems there is a problem in the bpf_mtap code:
Actually the code assume in the seesent case that mbuf will have a pkthdr structure.
There is 2 problems here:
+ they did not check for that with (m_flag & M_PKTHDR)
+ at the upper level the caller forge fake mbuf that did not
contain any pkthdr and did not initialize the m_flags field
what do you think about that ?
if_ethersubr.c case:
/* Check for a BPF tap */
if (ifp->if_bpf != NULL) {
struct m_hdr mh;
/* This kludge is OK; BPF treats the "mbuf" as read-only */
mh.mh_next = m;
mh.mh_data = (char *)eh;
mh.mh_len = ETHER_HDR_LEN;
bpf_mtap(ifp, (struct mbuf *)&mh);
}
bpf_mtap function:
/*
* Incoming linkage from device drivers, when packet is in an mbuf chain.
*/
void
bpf_mtap(ifp, m)
struct ifnet *ifp;
struct mbuf *m;
{
struct bpf_if *bp = ifp->if_bpf;
struct bpf_d *d;
u_int pktlen, slen;
struct mbuf *m0;
pktlen = 0;
for (m0 = m; m0 != 0; m0 = m0->m_next)
pktlen += m0->m_len;
for (d = bp->bif_dlist; d != 0; d = d->bd_next) {
if (!d->bd_seesent && (m->m_pkthdr.rcvif == NULL))
continue;
++d->bd_rcount;
slen = bpf_filter(d->bd_filter, (u_char *)m, pktlen, 0);
if (slen != 0)
catchpacket(d, (u_char *)m, pktlen, slen, bpf_mcopy);
}
}
fabien
smime.p7s
Description: S/MIME Cryptographic Signature
