kern/149807: [patch] [ipfw] panic due to bpf write to ipfw interface

Dmitrij Tejblum tejblum at
Thu Aug 19 16:20:02 UTC 2010

>Number:         149807
>Category:       kern
>Synopsis:       [patch] [ipfw] panic due to bpf write to ipfw interface
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 16:20:01 UTC 2010
>Originator:     Dmitrij Tejblum
>Release:        8.1-STABLE
OOO Yandex
ipfw create a pseudo-interface named ipfw0. It looks pretty much like an ethernet interface. If a program attach a bpf to the interface and send a multicast packet via it, a panic will occur.

(Of course, sending packets to the ipfw0 interface is not useful. But some programs may do it. E.g., an CDP or LLDP daemon by default would try to send its packets to all interfaces in the systems, including ipfw0, if it's configured.)

The cause of the panic is unitialized `if_broadcastaddr' field of the ipfw0's ifnet struct. The field is supposed to be initialized, and it is used in e.g. sys/net/bpf.c
On a system with ipfw configured, install net-mgmt/openlldp port, run lldpd, and wait for a minute or so.

Patch attached with submission follows:

--- sys/netinet/ipfw/ip_fw_log.c	2010-03-23 12:58:59.000000000 +0300
+++ sys/netinet/ipfw/ip_fw_log.c	2010-08-19 19:33:39.000000000 +0400
@@ -103,6 +103,9 @@ log_dummy(struct ifnet *ifp, u_long cmd,
 	return EINVAL;
+static const u_char ipfwbroadcastaddr[6] =
+                        { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
 ipfw_log_bpf(int onoff)
@@ -124,6 +127,7 @@ ipfw_log_bpf(int onoff)
 		ifp->if_addrlen = 6;
 		ifp->if_hdrlen = 14;
+		ifp->if_broadcastaddr = ipfwbroadcastaddr;
 		ifp->if_baudrate = IF_Mbps(10);
 		bpfattach(ifp, DLT_EN10MB, 14);
 		log_if = ifp;


More information about the freebsd-bugs mailing list