From owner-freebsd-stable@FreeBSD.ORG Wed Apr 7 12:13:23 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B9D316A4CE; Wed, 7 Apr 2004 12:13:23 -0700 (PDT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F73C43D5A; Wed, 7 Apr 2004 12:13:22 -0700 (PDT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i37JEKN3075652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Apr 2004 22:14:21 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i37JA3lD001286; Wed, 7 Apr 2004 22:10:03 +0300 (EEST) (envelope-from ru) Date: Wed, 7 Apr 2004 22:10:03 +0300 From: Ruslan Ermilov To: Julian Elischer Message-ID: <20040407191003.GA1136@ip.net.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: stable@FreeBSD.org Subject: ng_bridge(4) has an easily exploitable memory leak X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2004 19:13:23 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On RELENG_4, ng_bridge(4) has an easily exploitable memory leak, and may quickly run system out of mbufs. It's enough to just have only one link connected to the bridge, e.g., the "upper" hook of the ng_ether(4) with IP address assigned, and pinging the broadcast IP address on the interface. The bug is more real when constructing a bridge, or, like we experienced it, by shutting down all except one bridge's link. The following patch fixes it: %%% Index: ng_bridge.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v retrieving revision 1.1.2.6 diff -u -p -r1.1.2.6 ng_bridge.c --- ng_bridge.c 9 Jan 2004 08:58:06 -0000 1.1.2.6 +++ ng_bridge.c 7 Apr 2004 12:29:46 -0000 @@ -656,6 +656,11 @@ ng_bridge_rcvdata(hook_p hook, struct mb link->stats.recvUnknown++; } =20 + /* If there's only one link, stop right here. */ + if (priv->numLinks =3D=3D 1) { + NG_FREE_DATA(m, meta); + return (0); + } /* Distribute unknown, multicast, broadcast pkts to all other links */ for (linkNum =3D i =3D 0; i < priv->numLinks - 1; linkNum++) { struct ng_bridge_link *const destLink =3D priv->links[linkNum]; %%% An alternate solution is to MFC most of ng_bridge.c,v 1.8. Julian? Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAdFILUkv4P6juNwoRAuGFAJwJONUqXnTxNtw5McTBoLw/cjc8JQCZARKE /feT/mTsUfBR4RruYrNyljM= =mVHe -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW--