netbsd-bugs: port-arm32/8343: bpf bug in if

Subject: port-arm32/8343: bpf bug in if_ie.c
To: None <gnats-bugs@gnats.netbsd.org>
From: None <rearnsha@arm.com>
List: netbsd-bugs
Date: 09/07/1999 16:53:52
>Number:         8343
>Category:       port-arm32
>Synopsis:       bpf bug in if_ie.c
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    port-arm32-maintainer (NetBSD/arm32 Portmaster)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep  7 16:35:00 1999
>Last-Modified:
>Originator:     Richard Earnshaw
>Organization:
ARM
	
>Release:        1.4 or later
>Environment:
	
System: NetBSD buzzard.cambridge.arm.com 1.4 NetBSD 1.4 (BUZZARD) #161: Tue Sep 7 21:21:53 BST 1999 rearnsha@buzzard.cambridge.arm.com:/home/rearnsha/netbsd/src/sys/arch/arm32/compile/BUZZARD arm32


>Description:
	The #ifdef BPFILTER in podulebus/if_ie.c is miss-spelt.  Further, the
	header of ethernet package is not passed to the filter, which causes
	it to interpret the packet incorrectly.

	Without this patch it is impossible to serve DHCP on this
	interface.

	
>How-To-Repeat:
	Try to start dhcp on a subnet that is on a if_ie interface.  
	Observe that nothing happens :-(.

	Try to run tcpdump on the same interface; observe that no input
	packets are dumped :-(

	Fix the name of the #ifdef; observe that dumped input packets are
	garbage :-(
	
>Fix:
	Patch attached.  The patch uses the same trick as that in 
	net/if_loop.c (and probably other places).

*** /usr/src/sys/arch/arm32/podulebus/if_ie.c	Sun Mar 28 18:50:01 1999
--- if_ie.c	Tue Sep  7 21:20:53 1999
*************** ie_read_frame(sc, num)
*** 1314,1322 ****
  		ether_sprintf(eh.ether_shost), (u_int)eh.ether_type );
  */
  
! #if NBFILTER > 0
      if ( ifp->if_bpf ) {
! 	bpf_mtap(ifp->if_bpf, m );
      };
  #endif
  
--- 1314,1331 ----
  		ether_sprintf(eh.ether_shost), (u_int)eh.ether_type );
  */
  
! #if NBPFILTER > 0
      if ( ifp->if_bpf ) {
!         /* We need to pass the ethernet header; cons up an mbuf to hold it.
! 	   This is safe since the bpf will only read the packet, it will
! 	   never try to free it.  */
! 	struct mbuf m0;
! 
! 	m0.m_next = m;
! 	m0.m_len = sizeof (struct ether_header);
! 	m0.m_data = (char *)&eh;
! 
! 	bpf_mtap(ifp->if_bpf, &m0 );
      };
  #endif
  

>Audit-Trail:
>Unformatted: