On Fri, Sep 19, 2008 at 03:51:31PM -0700, Maksim Yevmenkin wrote: > On Fri, Sep 19, 2008 at 3:43 PM, Maksim Yevmenkin > <maksim.yevmenkin_at_gmail.com> wrote: > > [....] > > > >>> That what has caused me to look into this issue. You can find patch for > >>> security/vpnc to prevent unbounded interface cloning here: > >>> > >>> http://sobomax.sippysoft.com/~sobomax/vpnc.diff > >>> > >> Ok, the patch prevents interface cloning, but I think it doesn't solve > >> the actual problem. > >> Let's wait for Maksim :) > > As for vpnc-script, yes I also think using kldstat to check if the module is present is more correct than stat-ing /dev/tun. Actually I have commented these lines out in my previous mail instead of applying the patch %-) > > ok, how about attached patch. i put it together *very* quickly and > > only gave it a light testing. its for tap(4), because i could compile > > it as a module and tun(4) is compiled into kernel by default, but the > > idea should identical for tun(4). should be even simpler for tun(4) > > because it does not have to deal with 2 kind of devices (i.e. tap and > > vmnet). give it a try, and see if it works. please try both cloning > > paths, i.e. > > > > 1) cat /dev/tap (/dev/vmnet) with and/or without unit number > > > > and > > > > 2) ifconfig tapX (vmnetX) create/destroy > > > > in the mean time i will prepare something similar for tun(4). > > attached is similar patch for tun(4). i only made sure it compiles :) > rebuilding kernel now... > Ok, I have tried both patches and in both cases 'cloning bug' is went away. I have tried cat /dev/tap (creates only /dev/tap0) cat /dev/tapX (creates exactly /dev/tapX) stat /dev/[tun|tap|vmnet] (creates only '0' device) and also running unpatched security/vpnc. Everything works fine! Thanks! Alexey.Received on Fri Sep 19 2008 - 22:34:25 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:35 UTC