Subject: kern/31348: bpf(4) does not strip CRC on rtk(4)
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <isaki@par.odn.ne.jp>
List: netbsd-bugs
Date: 09/19/2005 10:12:00
>Number: 31348
>Category: kern
>Synopsis: bpf(4) does not strip CRC on rtk(4)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 19 10:12:00 +0000 2005
>Originator: Tetsuya Isaki
>Release: NetBSD 3.0_BETA/i386
>Organization:
>Environment:
NetBSD 3.0_BETA (XXX) #14: Thu Sep 15 14:31:38 JST 2005
isaki@xxxxxx:/obj/sys/arch/i386/compile/XXX
>Description:
dev/ic/rtl81x9.c (rtk) sets M_HASFCS to m->m_flags,
instead of subtracting ETHER_CRC_LEN from packet length.
Then ether_input() subtracts ETHER_CRC_LEN from packet
ength if M_HASFCS was set.
However, bpf(4) does not subtract ETHER_CRC_LEN even if
M_HASFCS was set. So tcpdump shows trailing 4byte gabage
on each packets from rtk.
Here is a sample.
On the sender side:
% perl -e 'print "0123456789" x 4;' | nc -u targethost 7
On the reciever side:
% tcpdump -npexX -i rtk0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rtk0, link-type EN10MB (Ethernet), capture size 96 bytes
18:44:36.874822 00:0f:ea:XX:XX:XX > 00:60:e0:YY:YY:YY, ethertype IPv4 (0x0800),
length 86: IP 10.xx.xx.xx.55216 > 10.yy.yy.yy.7: UDP, length: 40
0x0000: 0060 e0YY YYYY 000f eaXX XXXX 0800 4500 .`............E.
0x0010: 0044 d6b0 0000 4011 8ca2 0axx xxxx 0ayy .D....@.........
0x0020: yyyy d7b0 0007 0030 fc57 3031 3233 3435 .......0.W012345
0x0030: 3637 3839 3031 3233 3435 3637 3839 3031 6789012345678901
0x0040: 3233 3435 3637 3839 3031 3233 3435 3637 2345678901234567
0x0050: 3839 0109 2159 89..!Y
^^^^^^^^^
>How-To-Repeat:
Send some packet, and tcpdump it on rtk0.
>Fix:
Subtract ETHER_CRC_LEN when M_HASFCS was set
in bpf_mtap() (and bpf_mtap2 ?).