Date: Wed, 7 Apr 2004 22:10:03 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Julian Elischer <julian@FreeBSD.org> Cc: stable@FreeBSD.org Subject: ng_bridge(4) has an easily exploitable memory leak Message-ID: <20040407191003.GA1136@ip.net.ua>
next in thread | raw e-mail | index | archive | help
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
and may quickly run system out of mbufs. It's enough to just
have only one link connected to the bridge, e.g., the "upper"
hook of the ng_ether(4) with IP address assigned, and pinging
the broadcast IP address on the interface. The bug is more
real when constructing a bridge, or, like we experienced it,
by shutting down all except one bridge's link. The following
patch fixes it:
%%%
Index: ng_bridge.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v
retrieving revision 1.1.2.6
diff -u -p -r1.1.2.6 ng_bridge.c
--- ng_bridge.c 9 Jan 2004 08:58:06 -0000 1.1.2.6
+++ ng_bridge.c 7 Apr 2004 12:29:46 -0000
@@ -656,6 +656,11 @@ ng_bridge_rcvdata(hook_p hook, struct mb
link->stats.recvUnknown++;
}
=20
+ /* If there's only one link, stop right here. */
+ if (priv->numLinks =3D=3D 1) {
+ NG_FREE_DATA(m, meta);
+ return (0);
+ }
/* Distribute unknown, multicast, broadcast pkts to all other links */
for (linkNum =3D i =3D 0; i < priv->numLinks - 1; linkNum++) {
struct ng_bridge_link *const destLink =3D priv->links[linkNum];
%%%
An alternate solution is to MFC most of ng_bridge.c,v 1.8. Julian?
Cheers,
--=20
Ruslan Ermilov
ru@FreeBSD.org
FreeBSD committer
--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAdFILUkv4P6juNwoRAuGFAJwJONUqXnTxNtw5McTBoLw/cjc8JQCZARKE
/feT/mTsUfBR4RruYrNyljM=
=mVHe
-----END PGP SIGNATURE-----
--ew6BAiZeqk4r7MaW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040407191003.GA1136>