Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2013-009: user settable small BPF buffer can cause a panic

Hash: SHA1

                NetBSD Security Advisory 2013-009

Topic:          user settable small BPF buffer can cause a panic

Version:        NetBSD-current:         source prior to Sept 10th, 2013
                NetBSD 6.1:             affected
                NetBSD 6.0:             affected
                NetBSD 5.1:             affected
                NetBSD 5.2:             affected

Severity:       Local DoS

Fixed:          NetBSD-current:         Sept 9th, 2013
                NetBSD-6-0 branch:      Sept 11th, 2013
                NetBSD-6-1 branch:      Sept 11th, 2013
                NetBSD-6 branch:        Sept 11th, 2013
                NetBSD-5-1 branch:      Sept 11th, 2013
                NetBSD-5-2 branch:      Sept 11th, 2013
                NetBSD-5 branch:        Sept 11th, 2013

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Setting the bpf buffer size manually to be less than the required
number of bytes to store the bpf header will crash the system.

Technical Details

On NetBSD with 64-bit bpf_timeval, the minimum allowed BPF buffer size
is the same size as the size of struct bpf_hdr. When BPF reports a
packet, it will add the link-layer-type header and the bpf_hdr to the
buffer it was supplied, and then add captured data in the remaining

Setting the buffer size via ioctl BIOCSBLEN checks against
BPF_MINBUFSIZE, but this test is not adequate since it does not
include the size of the link layer header. As the link layer header
size can change, no check there would be adequate.

When calculating the size left for captured data (buffer size minus
the sum of the size of the two headers) it may thus get a negative

It will proceed to use this length e.g. to copy data into the buffer,
but the copying routine will use an unsigned variable for the size of
the buffer to copy to, and thus get a very large number. When the copy
routine copies captured data to the buffer, it will leave the bounds
of the buffer, and a panic will result.

Solutions and Workarounds

/dev/bpf* usually can only be read by root. If you have not changed
this default: avoid running bpf programs that try to use a buffer size
smaller than 36 on ethernet and 120 on wifi.

Install a kernel containing the fix.

The fastest way to do that, if you are running or can run a standard
kernel built as part of the NetBSD release process, is to obtain the
corresponding kernel from the daily NetBSD autobuild output and
install it on your system.

You can obtain such kernels from
where they are sorted by NetBSD branch, date, and architecture.  To
fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch,
the most appropriate kernel will be the "netbsd-6-0" kernel.

To fix a system running NetBSD-current, the "HEAD" kernel should be
used.  In all cases, a kernel from an autobuild dated newer than the
fix date for the branch you are using must be used to fix the problem.

If you cannot use the autobuilt kernels, then for all affected NetBSD
versions, you need to obtain fixed kernel sources, rebuild and install
the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH        with your architecture (from uname -m), and
  KERNCONF    with the name of your kernel configuration file.
  NEWVERSION  with the CVS version of the fix

Versions of src/sys/net/bpf.c:
        Branch          NEWVERSION
        HEAD            1.176

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -rNEWVERSION sys/net/bpf.c
        # ./ kernel=KERNCONF
        # mv /netbsd /netbsd.old
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
        # shutdown -r now

For more information on how to do this, see:

Thanks To

Thanks to Peter Bex, who found and analyzed the problem,
and Christos Zoulas, who created the fix.

Revision History

        2013-09-11      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2013, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2013-009.txt,v 1.1 2013/09/11 10:36:59 tonnerre Exp $
Version: GnuPG v1.4.12 (NetBSD)


Home | Main Index | Thread Index | Old Index