xorl %eax, %eax

FreeBSD-EN-09:02: bce(4) driver Missing Packet Length Update

leave a comment »

This is not a security related issue. Nevertheless it is still interesting. It affects FreeBSD 7.2 release and credits for that bug go to Pete French and David Christensen. The bug was officially disclosed on 24 June 2009 from the FreeBSD project. The bug appears in bce(4) which is a device driver for Broadcom NetXtreme II PCI/PCIe Gigabit Ethernet adapters. If you add a network adapter with that device driver as a lagg(4) member, interface will stop working. In addition to this, in case of non-ZERO_COPY_SOCKETS there will be no update in the packet length and thus lead to incorrect values passed to userspace. This was fixed simply by adding the missing #else clause after the #ifdef ZERO_COPY_SOCKETS like this:

+        /* Set the total packet length. */
+		m0->m_pkthdr.len = m0->m_len = pkt_len;

Written by xorl

July 9, 2009 at 22:03

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s