Bug in bridge interface removal?

From: Erich Schubert
Date: Fri May 14 2004 - 08:48:24 EST


Hi, on an embedded system i had a crash when doing the following
(invalid) sequence of commands:
Note that this is an outdated kernel, 2.4.19-uc1 with some
modifications; i'm not sure if this is maybe already fixed.

brctl addbr br0
brctl addbr br1
brctl addif br0 eth0
brctl delif br1 eth0
(causing a kernel crash after a second)

yes, i'm deleting the interface from the wrong bridge. Since this
requires root privileges, this isn't much of an "exploit" or so. But it
takes down the system reliably here (but it is an MMUless ARM, you can
take that one down really easy...)

Having a short look at the source i didn't see any safety measure in
http://lxr.linux.no/source/net/bridge/br_if.c#L254
(Neither in 2.4.x, nor in 2.6.x)

I'd suggest adding the following line to the beginning of br_del_if:

if (dev->br_port->br != br) return -EINVAL;

After adding this line i get
device eth1 is not a slave of br0
instead of the reboot.

Greetings,
Erich

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/