[Bug 263824] genet(4): Driver interface may overwrite memory in a consecutive memory copy operations when parsing TX packet

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263824

--- Comment #4 from Jiahao LI <jiahali@blackberry.com> ---
(In reply to Mike Karels from comment #3)
Hi,

Happy to hear that the problem can be fixed. I cannot reproduce the problem in
the current release of the Freebsd image but I never try to change any
parameter in "sysctl". This problem happens in my own development environment.

My development environment is not entirely based on the Freebsd, but Freebsd is
running within our development environment and the version of Freebsd is not
based on the current release. 

hw.genet.tx_hdr_min does not exist in the Freebsd running in my development
environment. 

I can provide further details to help reproduce this issue. Let's say we want
to send a large packet, e.x. "ping -s 2048 ....", and the packet is going to
fragmented at the network layer, IP layer.

For the first fragmented packet, the network header, ICMP  header and a portion
of payload are stored in one mbuf, and "M_EXT" macro is set at that mbuf based
on the rule in the code. Therefore, the mbuf is not writeable. The link-layer
header and statusblock will be prepended to a new mbuf inserted before the mbuf
carrying the "network header + ICMP header + payload".

For reproducing the problem, it might not be necessary to send a large packet,
but just make the mbuf not writable.

-- 
You are receiving this mail because:
You are on the CC list for the bug.