Matthew Dillon <[email protected]> wrote: > > :When cloning an wlan interface with e.g > : ifconfig wlan0 create wlandev ath0 > :a struct ifnet is allocated via if_alloc and then passed to > :ether_ifattach_bpf() which writes beyond the struct ifnet. > :This is especially a problem if struct ifnet size is close to a chunk > :size of the slab allocator - as it happens with the recent pf update. > :This was catched by guards I added to the slab allocator. > : > :Cheers, > :Johannes > > Ok, we need to track this down. I don't see anything in > ether_ifattach_bpf() itself that indexes past the end of the > ifnet, is it something ether_ifattach_bpf() calls or something > after ether_ifattach_bpf() returns? How much code do we have to > review here?
It's the bcopy() in ether_ifattach_bpf() with the XXX in the comment. ifp is expected to be embedded in a struct arpcom, which is not the case for the cloned wlan interface. Cheers, Johannes
