diff options
| author | ru <ru@FreeBSD.org> | 2005-11-24 18:56:14 +0000 |
|---|---|---|
| committer | ru <ru@FreeBSD.org> | 2005-11-24 18:56:14 +0000 |
| commit | fd2f0452fd92ba735cd646e5b1a20def1a72d622 (patch) | |
| tree | fdcf6716785fd45a03a8574e287608594ac0e359 /sys/net/ethernet.h | |
| parent | 5d85d3ca54fa8a1a7c330ce11a6682b88c5c1499 (diff) | |
| download | FreeBSD-src-fd2f0452fd92ba735cd646e5b1a20def1a72d622.zip FreeBSD-src-fd2f0452fd92ba735cd646e5b1a20def1a72d622.tar.gz | |
Fix the following bugs:
- In ifc_name2unit(), disallow leading zeroes in a unit.
Exploit: ifconfig lo01 create
- In ifc_name2unit(), properly handle overflows. Otherwise,
either of two local panic()'s can occur, either because
no interface with such a name could be found after it was
successfully created, or because the code will bogusly
assume that it's a wildcard (unit < 0 due to overflow).
Exploit: ifconfig lo<overflowed_integer> create
- Previous revision made the following sequence trigger
a KASSERT() failure in queue(3):
Exploit: ifconfig lo0 destroy; ifconfig lo0 destroy
This is because IFC_IFLIST_REMOVE() is always called
before ifc->ifc_destroy() has been run, not accounting
for the fact that the latter can fail and leave the
interface operating (like is the case for "lo0").
So we ended up calling LIST_REMOVE() twice. We cannot
defer IFC_IFLIST_REMOVE() until after a call to
ifc->ifc_destroy() because the ifnet may have been
removed and its memory has been freed, so recover from
this by re-inserting the ifnet in the cloned interfaces
list if ifc->ifc_destroy() indicates a failure.
Diffstat (limited to 'sys/net/ethernet.h')
0 files changed, 0 insertions, 0 deletions
