Re: Overflow bugs in m_get &c.

To: tech-net%netbsd.org@localhost
Subject: Re: Overflow bugs in m_get &c.
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sat, 16 Jul 2022 21:34:21 -0000 (UTC)

riastradh%NetBSD.org@localhost (Taylor R Campbell) writes:

>What's your alternative proposal to systematically and confidently
>eliminate this class of bugs exposing vulnerabilities to the network?

I'd start by removing all the open-coded mbuf code or the special
handling of m_pkghdr, and to provide proper rules on what sizes and
alignments are required in the different parts of the stack.

As a result, we could probably simplify the zoo of mbuf operations.

I'd also would make visible only one type of mbufs, no clusters, no
external memory, except for attaching mbufs to bus_dma memory.

All this will surely not be something that can automatically applied
to the tree, and I wouldn't rush it out before a release.

>> >3. If N > MLEN or MHLEN, the driver conditionally calls m_clget/MCLGET
>> >   to expand the space to MCLBYTES (typically 2048 but sometimes 1024
>> >   or 4096).
>> 
>> 1024 would be strange, as most of the world asssumes that a cluster
>> can store an Ethernet packet of ~1500 bytes plus headers.

>sun2/include/param.h:#define MCLSHIFT   10

I think that breaks some code. But the (only?) ethernet driver
supported for sun2 does handle this by copying data from device
memory into a chain of clusters.

Follow-Ups:
- Re: Overflow bugs in m_get &c.
  - From: Taylor R Campbell

References:
- Re: Overflow bugs in m_get &c.
  - From: Michael van Elst
- Re: Overflow bugs in m_get &c.
  - From: Taylor R Campbell

Prev by Date: Re: Overflow bugs in m_get &c.
Next by Date: Re: Overflow bugs in m_get &c.
Previous by Thread: Re: Overflow bugs in m_get &c.
Next by Thread: Re: Overflow bugs in m_get &c.
Indexes:

Home | Main Index | Thread Index | Old Index