Memory will be overwrite if configure more than 128 multicast addresses on ixgbe NIC, and maybe cause system panic. How-To-Repeat: configure more than 128 multicast addresses on ixgbe NIC
Because of the way that ixgbe(4) was split/deleted/readded to support if_ixv.c, its impossible to tell when this was committed to freebsd. After a code review, this patch was applied at some point in the last few years.static void ixgbe_set_promisc(struct adapter *adapter) { u_int32_t reg_rctl; struct ifnet *ifp = adapter->ifp; int mcnt = 0; reg_rctl = IXGBE_READ_REG(&adapter->hw, IXGBE_FCTRL); reg_rctl &= (~IXGBE_FCTRL_UPE); if (ifp->if_flags & IFF_ALLMULTI) mcnt = MAX_NUM_MULTICAST_ADDRESSES; else { struct ifmultiaddr *ifma; #if __FreeBSD_version < 800000 IF_ADDR_LOCK(ifp); #else if_maddr_rlock(ifp); #endif TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { if (ifma->ifma_addr->sa_family != AF_LINK) continue; if (mcnt == MAX_NUM_MULTICAST_ADDRESSES) break; mcnt++; } -------------------------- snip ------------------------------------------ static void ixgbe_set_multi(struct adapter *adapter) { u32 fctrl; u8 *update_ptr; struct ifmultiaddr *ifma; struct ixgbe_mc_addr *mta; int mcnt = 0; struct ifnet *ifp = adapter->ifp; IOCTL_DEBUGOUT("ixgbe_set_multi: begin"); mta = adapter->mta; bzero(mta, sizeof(*mta) * MAX_NUM_MULTICAST_ADDRESSES); #if __FreeBSD_version < 800000 IF_ADDR_LOCK(ifp); #else if_maddr_rlock(ifp); #endif TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { if (ifma->ifma_addr->sa_family != AF_LINK) continue; if (mcnt == MAX_NUM_MULTICAST_ADDRESSES) break; bcopy(LLADDR((struct sockaddr_dl *) ifma->ifma_addr), mta[mcnt].addr, IXGBE_ETH_LENGTH_OF_ADDRESS); mta[mcnt].vmdq = adapter->pool; mcnt++; }