Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Sep 1999 07:58:28 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>, Bosko Milekic <bmilekic@dsuper.net>
Cc:        freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: mbuf shortage situations
Message-ID:  <199909071458.HAA00426@salsa.gv.tsc.tdk.com>
In-Reply-To: Matthew Dillon <dillon@apollo.backplane.com> "Re: mbuf shortage situations" (Sep  5,  9:18pm)

next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 5,  9:18pm, Matthew Dillon wrote:
} Subject: Re: mbuf shortage situations
} :	The only reason that I see for which we would actually panic() in
} :this situation (as opposed to suffer the packet loss) is if we get to the
} :point where we're losing packets because some script kid starts up
} :something that will eat up sockbuf space and continuously fork, then we
} :would lose all remote access to the machine in question (since all packets
} :would be dropped) and we wouldn't really mind a panic() for obvious
} :practical reasons.

Well, I really would mind the panic().

} :	In any case, I, personally, would prefer to suffer packet loss as
} :opposed to a panic (especially now that Brian is in the process of writing
} :diffs that will allow us to limit socket buffer space per UID through
} :login.conf!)
} :	Having MGET store that null (e.g. fail as opposed to panic) on a
} :M_WAIT seems fairly easy to fix, and would probably require some patching
} :that would ensure that the packet loss is handeled relatively 'cleanly'
} :(probably some debugging), but I wouldn't mind doing this. However, I'd
} :like to know if there are objections to doing this or, in fact, if there
} :are any suggestions on how to handle mbuf shortage situations (aside from
} :just limiting -- although limiting is in itself a good solution and I'm
} :glad that Brian F. is working on that).

At least historically most of the panics have been caused by the code
not properly checking the result of the MGET and dereferencing a NULL
pointer.  Any of those that are still in the code need to be fixed.

My impression is that for reasonably recent versions of FreeBSD
this attack doesn't panic the machine but just wedges the network
system due to mbuf exhaustion.  The problem is that if you get to
this point you're basically hosed.  It's OK to toss packets that
you receive from the net as long as you haven't sent an ack for them,
toss outgoing UDP packets, and block writes to stream sockets, but
you can't toss acked TCP packets that you've received, or the data
queued to a stream socket by write().  This particular attack does
the latter, so the only possible fix is to prevent all the mbufs
from being consumed by it in the first place.

}     The issue is basically having someone find the time to figure out
}     how to gracefully unwind various pieces of network code when an
}     mbuf cannot be allocated.  Once that is done, the panic can be
}     turned into a (rate-limited) printf.

That won't help.  All that does is keep a root spinning on a failed
syscall instead of blocking on MGET when he's trying to log in to
kill the errant process.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909071458.HAA00426>