From owner-freebsd-stable@FreeBSD.ORG  Thu Apr  8 07:39:37 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id F32D316A4CF; Thu,  8 Apr 2004 07:39:36 -0700 (PDT)
Received: from mxsf06.cluster1.charter.net (mxsf06.cluster1.charter.net
	[209.225.28.206])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9321E43D46; Thu,  8 Apr 2004 07:39:36 -0700 (PDT)
	(envelope-from archie@dellroad.org)
Received: from InterJet.dellroad.org (E6V6Q8.cpe.mvllo.al.charter.com
	[24.196.29.251])i38EU3ST071429;	Thu, 8 Apr 2004 10:30:04 -0400 (EDT)
Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.2.2.20])
	by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id JAA54036;
	Thu, 8 Apr 2004 09:21:42 -0500 (CDT)
Received: from arch20m.dellroad.org (localhost [127.0.0.1])
	i38ELdLi003095;	Thu, 8 Apr 2004 09:21:39 -0500 (CDT)
	(envelope-from archie@arch20m.dellroad.org)
Received: (from archie@localhost)
	by arch20m.dellroad.org (8.12.9p2/8.12.9/Submit) id i38ELdgJ003094;
	Thu, 8 Apr 2004 09:21:39 -0500 (CDT)
	(envelope-from archie)
From: Archie Cobbs <archie@dellroad.org>
Message-Id: <200404081421.i38ELdgJ003094@arch20m.dellroad.org>
In-Reply-To: <20040408100929.GD16290@ip.net.ua>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Date: Thu, 8 Apr 2004 09:21:39 -0500 (CDT)
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
cc: stable@FreeBSD.ORG
cc: Julian Elischer <julian@elischer.org>
Subject: Re: ng_bridge(4) has an easily exploitable memory leak
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2004 14:39:37 -0000

Ruslan Ermilov wrote:
> > > On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
> > > and may quickly run system out of mbufs.  It's enough to just
> > > have only one link connected to the bridge, e.g., the "upper"
> > > hook of the ng_ether(4) with IP address assigned, and pinging
> > > the broadcast IP address on the interface.  The bug is more
> > > real when constructing a bridge, or, like we experienced it,
> > > by shutting down all except one bridge's link.  The following
> > > patch fixes it:
> > > 
> [snipped]
> 
> > > An alternate solution is to MFC most of ng_bridge.c,v 1.8.  Julian?
> > 
> > what does an MFC diff look like?
> > (bridge is one of archies's nodes)

I'd just like to add a personal note... "Oops!"

:-)

-Archie

__________________________________________________________________________
Archie Cobbs      *        CTO, Awarix        *      http://www.awarix.com