tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Overflow bugs in m_get &c. (Taylor R Campbell) writes:

>What's your alternative proposal to systematically and confidently
>eliminate this class of bugs exposing vulnerabilities to the network?

I'd start by removing all the open-coded mbuf code or the special
handling of m_pkghdr, and to provide proper rules on what sizes and
alignments are required in the different parts of the stack.

As a result, we could probably simplify the zoo of mbuf operations.

I'd also would make visible only one type of mbufs, no clusters, no
external memory, except for attaching mbufs to bus_dma memory.

All this will surely not be something that can automatically applied
to the tree, and I wouldn't rush it out before a release.

>> >3. If N > MLEN or MHLEN, the driver conditionally calls m_clget/MCLGET
>> >   to expand the space to MCLBYTES (typically 2048 but sometimes 1024
>> >   or 4096).
>> 1024 would be strange, as most of the world asssumes that a cluster
>> can store an Ethernet packet of ~1500 bytes plus headers.

>sun2/include/param.h:#define MCLSHIFT   10

I think that breaks some code. But the (only?) ethernet driver
supported for sun2 does handle this by copying data from device
memory into a chain of clusters.

Home | Main Index | Thread Index | Old Index