From 31f0fa96d0969964be882066f7d4eda26d6e40d1 Mon Sep 17 00:00:00 2001 From: David Gwynne Date: Thu, 19 Apr 2018 22:31:26 +0000 Subject: when adding span ports, restrict them to ether and mplstunnel interfaces. this is the same check that's done when adding normal members to the bridge. it prevents things like gif(4) being added to the bridge, which in turn prevents panics when shoving ethernet packets down a layer 3 interface. reported and tested by jasper@ --- sys/net/if_bridge.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index a12919dd660..6374fa20495 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.307 2018/02/19 08:59:52 mpi Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.308 2018/04/19 22:31:25 dlg Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -361,6 +361,11 @@ bridge_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) error = ENOENT; break; } + if (ifs->if_type != IFT_ETHER && + ifs->if_type != IFT_MPLSTUNNEL) { + error = EINVAL; + break; + } if (ifs->if_bridgeport != NULL) { error = EBUSY; break; -- cgit v1.2.3