From owner-freebsd-stable@FreeBSD.ORG  Wed Apr  7 12:29:50 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 53B8316A4CE; Wed,  7 Apr 2004 12:29:50 -0700 (PDT)
Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DBC2643D46; Wed,  7 Apr 2004 12:29:49 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org ([24.7.73.28])
          by comcast.net (sccrmhc11) with ESMTP
          id <2004040719284101100s3k5ae>; Wed, 7 Apr 2004 19:28:41 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id MAA50557;
	Wed, 7 Apr 2004 12:28:39 -0700 (PDT)
Date: Wed, 7 Apr 2004 12:28:38 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Ruslan Ermilov <ru@FreeBSD.org>
In-Reply-To: <20040407191003.GA1136@ip.net.ua>
Message-ID: <Pine.BSF.4.21.0404071227420.34985-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: stable@FreeBSD.org
cc: Julian Elischer <julian@FreeBSD.org>
Subject: Re: ng_bridge(4) has an easily exploitable memory leak
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2004 19:29:50 -0000

	

On Wed, 7 Apr 2004, Ruslan Ermilov wrote:

> Hi,
> 
> On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
> and may quickly run system out of mbufs.  It's enough to just
> have only one link connected to the bridge, e.g., the "upper"
> hook of the ng_ether(4) with IP address assigned, and pinging
> the broadcast IP address on the interface.  The bug is more
> real when constructing a bridge, or, like we experienced it,
> by shutting down all except one bridge's link.  The following
> patch fixes it:
> 
> %%%
> Index: ng_bridge.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v
> retrieving revision 1.1.2.6
> diff -u -p -r1.1.2.6 ng_bridge.c
> --- ng_bridge.c	9 Jan 2004 08:58:06 -0000	1.1.2.6
> +++ ng_bridge.c	7 Apr 2004 12:29:46 -0000
> @@ -656,6 +656,11 @@ ng_bridge_rcvdata(hook_p hook, struct mb
>  		link->stats.recvUnknown++;
>  	}
>  
> +	/* If there's only one link, stop right here. */
> +	if (priv->numLinks == 1) {
> +		NG_FREE_DATA(m, meta);
> +		return (0);
> +	}
>  	/* Distribute unknown, multicast, broadcast pkts to all other links */
>  	for (linkNum = i = 0; i < priv->numLinks - 1; linkNum++) {
>  		struct ng_bridge_link *const destLink = priv->links[linkNum];
> %%%
> 
> An alternate solution is to MFC most of ng_bridge.c,v 1.8.  Julian?

what does an MFC diff look like?
(bridge is one of archies's nodes)


> 
> 
> Cheers,
> -- 
> Ruslan Ermilov
> ru@FreeBSD.org
> FreeBSD committer
>