problem in if_tap.c
Marc Lörner
marc.loerner at hob.de
Mon Apr 14 09:02:15 UTC 2008
Hello,
I found the following problem in the if_tap-device code in function tapcreate
when used on 64-bit systems:
TAPDEBUG("tapcreate(%s%d). minor = %#x\n", name, unit, minor(dev));
/* generate fake MAC address: 00 bd xx xx xx unit_no */
macaddr_hi = htons(0x00bd);
bcopy(&macaddr_hi, eaddr, sizeof(short));
---->
bcopy(&ticks, &eaddr[2], sizeof(long));
eaddr[5] = (u_char)unit;
/* fill the rest and attach interface */
sizeof(long) is not always 4 on any system (e.g. on ia64 it's 8)
=> bytes are copied from undefined memory into undefined memory
Regards,
Marc
P.S.: On replies please cc me because I'm not on the list.
More information about the freebsd-net
mailing list