cvs commit: src/sys/net if_vlan.c

Yar Tikhiy yar at comp.chem.msu.su
Sat Aug 5 21:11:59 UTC 2006 

On Fri, Aug 04, 2006 at 09:27:56AM -0700, Sam Leffler wrote:
> Yar Tikhiy wrote:
> > On Thu, Aug 03, 2006 at 10:11:11AM -0700, Sam Leffler wrote:
> >> Yar Tikhiy wrote:
> >>> yar         2006-08-03 09:59:09 UTC
> >>>
> >>>   FreeBSD src repository
> >>>
> >>>   Modified files:
> >>>     sys/net              if_vlan.c 
> >>>   Log:
> >>>   Should vlan_input() ever be called with ifp pointing to a non-Ethernet
> >>>   interface, do not just assign -1 to tag because it breaks the logic of
> >>>   the code to follow.  The better way is to handle this case as an unsupported
> >>>   protocol and return unless INVARIANTS is in effect and we can panic.
> >>>   Panic is good there because the scenario can happen only because of a
> >>>   coding error elsewhere.
> >>>   
> >>>   We also should show the interface name in the panic message for easier
> >>>   debugging of the problem, should it ever emerge.
> >> Introducing a panic in a place where you can trivially recover is bad
> >> regardless of why you got there.  Many people run production systems
> >> with INVARIANTS turned on.  Is it now possible to send a "packet of
> >> death" by exploiting this code path?
> > 
> > No nastygram can ever achieve this; only FreeBSD commiters possess
> > the ability to :-)
> > 
> > The panic can never be reached unless one manages to attach a vlan
> > interface to a non-Ethernet physical interface in advance, which
> > is totally prohibited by the code at the beginning of vlan_config();
> > and vlan_config() is the only way to attach a vlan interface to a
> > physical interface.
> > 
> > I.e., it will take a developer breaking the logic in /sys/net to
> > make the code path expoloitable.
> > 
> > OTOH, you are right that we can at least attempt to recover from
> > the situation.  Perhaps it's time to introduce a common macro or
> > function that emits a message on the console and then just calls
> > kdb_backtrace() instead of dumping core and halting the system?
> > So users will be able to post the stack traces to the lists and
> > thus help to spot the possible bugs w/o having to go through panics.
> > I'm unsure if sticking raw kdb_backtrace() calls in such places
> > is a good idea, so I'm suggesting a wrapper function or macro.
> > It is to be used in "can absolutely never happen" cases that are
> > not fatal, like the one under discussion.
> > 
> 
> It is my experience that problems like the "packet of death" come about
> from (well-meaning) planting of a landmine of this sort followed,
> sometime later, by another person enabling the code path.  I work by the
> rule that panic should be used only in places where you have no way to
> recover or recovery is so hard as to be not worthwhile (based on the
> circumstances).

Sounds fair!  if_vlan.c appears to use quite a few KASSERT's and
panic's in places where it could recover by, e.g., failing the
current operation.  I'll revise them.

-- 
Yar

More information about the cvs-all mailing list