hrev52027 adds 2 changesets to branch 'master'
old head: 2a3a847f828f2f47b4cc18f952da2ca9eaf475ef
new head: 09c7b1526f3bbad5bb6b3bd34bd5630b5b750375
overview:
https://git.haiku-os.org/haiku/log/?qt=range&q=09c7b1526f3b+%5E2a3a847f828f
----------------------------------------------------------------------------
e4104854c3ba: if_dl: Increase size of sdl_data from 20 to 46 bytes.
FreeBSD's is presently 46 bytes. CID 1422869 warns that it can get overrun
in if_attach() in copying if_xname which is IF_NAMESIZE bytes (32).
This breaks ABI, but BeOS did not have sockaddr_dl, it is only a modern-GCC
ABI break. Since most applications assume that sockaddr_dl is variable-length
and is null-terminated, as well as not used very often, hopefully this will
require relatively few rebuilds.
09c7b1526f3b: freebsd11_network: Fix MLEN/MHLEN macros after mbufq changes.
In 02cb8503d252cdb896ce01b0d1e436defdb45932, I added the m_next and
m_nextpkt structures to mbuf, as per FreeBSD's mbufq system that
FreeBSD 11.1's net80211 code uses. What I didn't realize (and
korli and PulkoMandy who reviewed my code didn't notice either)
is that the data fields in mbuf are sometimes dealt with through
these LEN macros, which were now incorrect after such changes.
This caused an out-of-bounds memory write for data above a certain
size that was attempting to be written into an mbuf that under the
old sizing would have been fine, but under this new sizing was invalid,
and this manifested itself as a KDL under the guarded_heap (#14207).
It possibly also manifested itself as a stack-smash with the new net80211
code (uncommitted on a local machine, and the reason I tried using
the guarded heap in the first place.)
Now we use FreeBSD 11's macros, which use offsetof instead of raw
integer math. This means that we can't specify the struct size in mbuf
as these structs are computed from mbuf's definition, and thus have
to rely on the allocator giving mbuf the correct size (as FreeBSD
does also.)
[ Augustin Cavalier <waddlesplash@xxxxxxxxx> ]
----------------------------------------------------------------------------
2 files changed, 8 insertions(+), 6 deletions(-)
headers/posix/net/if_dl.h | 4 ++--
src/libs/compat/freebsd11_network/compat/sys/mbuf.h | 10 ++++++----
############################################################################
Commit: e4104854c3ba8ed7c7f9c26515e07bbc1f760f9e
URL: https://git.haiku-os.org/haiku/commit/?id=e4104854c3ba
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Wed Jun 20 22:35:55 2018 UTC
if_dl: Increase size of sdl_data from 20 to 46 bytes.
FreeBSD's is presently 46 bytes. CID 1422869 warns that it can get overrun
in if_attach() in copying if_xname which is IF_NAMESIZE bytes (32).
This breaks ABI, but BeOS did not have sockaddr_dl, it is only a modern-GCC
ABI break. Since most applications assume that sockaddr_dl is variable-length
and is null-terminated, as well as not used very often, hopefully this will
require relatively few rebuilds.
----------------------------------------------------------------------------
diff --git a/headers/posix/net/if_dl.h b/headers/posix/net/if_dl.h
index b7dc7ad99b..9c79b8bd44 100644
--- a/headers/posix/net/if_dl.h
+++ b/headers/posix/net/if_dl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2012 Haiku, Inc. All Rights Reserved.
+ * Copyright 2006-2018 Haiku, Inc. All Rights Reserved.
* Distributed under the terms of the MIT License.
*/
#ifndef _NET_IF_DL_H
@@ -19,7 +19,7 @@ struct sockaddr_dl {
uint8_t sdl_nlen; /* interface name length (not
terminated with a null byte) */
uint8_t sdl_alen; /* link level address length */
uint8_t sdl_slen; /* link layer selector length */
- uint8_t sdl_data[20]; /* minimum work area, can be larger */
+ uint8_t sdl_data[46]; /* minimum work area, can be larger */
};
/* Macro to get a pointer to the link level address */
############################################################################
Revision: hrev52027
Commit: 09c7b1526f3bbad5bb6b3bd34bd5630b5b750375
URL: https://git.haiku-os.org/haiku/commit/?id=09c7b1526f3b
Author: Augustin Cavalier <waddlesplash@xxxxxxxxx>
Date: Thu Jun 21 01:19:45 2018 UTC
Ticket: https://dev.haiku-os.org/ticket/14207
freebsd11_network: Fix MLEN/MHLEN macros after mbufq changes.
In 02cb8503d252cdb896ce01b0d1e436defdb45932, I added the m_next and
m_nextpkt structures to mbuf, as per FreeBSD's mbufq system that
FreeBSD 11.1's net80211 code uses. What I didn't realize (and
korli and PulkoMandy who reviewed my code didn't notice either)
is that the data fields in mbuf are sometimes dealt with through
these LEN macros, which were now incorrect after such changes.
This caused an out-of-bounds memory write for data above a certain
size that was attempting to be written into an mbuf that under the
old sizing would have been fine, but under this new sizing was invalid,
and this manifested itself as a KDL under the guarded_heap (#14207).
It possibly also manifested itself as a stack-smash with the new net80211
code (uncommitted on a local machine, and the reason I tried using
the guarded heap in the first place.)
Now we use FreeBSD 11's macros, which use offsetof instead of raw
integer math. This means that we can't specify the struct size in mbuf
as these structs are computed from mbuf's definition, and thus have
to rely on the allocator giving mbuf the correct size (as FreeBSD
does also.)
----------------------------------------------------------------------------
diff --git a/src/libs/compat/freebsd11_network/compat/sys/mbuf.h
b/src/libs/compat/freebsd11_network/compat/sys/mbuf.h
index 94670ffb73..18c9c76405 100644
--- a/src/libs/compat/freebsd11_network/compat/sys/mbuf.h
+++ b/src/libs/compat/freebsd11_network/compat/sys/mbuf.h
@@ -12,8 +12,10 @@
#include <vm/uma.h>
-#define MLEN ((int)(MSIZE - sizeof(struct m_hdr)))
-#define MHLEN ((int)(MLEN - sizeof(struct pkthdr)))
+#define MHSIZE __offsetof(struct mbuf, m_dat)
+#define MPKTHSIZE __offsetof(struct mbuf, m_pktdat)
+#define MLEN ((int)(MSIZE - MHSIZE))
+#define MHLEN ((int)(MSIZE - MPKTHSIZE))
#define MINCLSIZE (MHLEN + 1)
@@ -137,10 +139,10 @@ struct mbuf {
struct pkthdr MH_pkthdr;
union {
struct m_ext MH_ext;
- char MH_databuf[MHLEN];
+ char MH_databuf[0];
} MH_dat;
} MH;
- char M_databuf[MLEN];
+ char M_databuf[0];
} M_dat;
};
