From owner-freebsd-net Thu Apr 18 0:28:42 2002 Delivered-To: freebsd-net@freebsd.org Received: from s30.crl.hitachi.co.jp (kame202.kame.net [203.178.141.202]) by hub.freebsd.org (Postfix) with ESMTP id 5CE5A37B41B; Thu, 18 Apr 2002 00:28:32 -0700 (PDT) Received: from s30.crl.hitachi.co.jp (localhost [127.0.0.1]) by s30.crl.hitachi.co.jp (8.12.2/8.12.2) with ESMTP id g3I7SCNs018552; Thu, 18 Apr 2002 16:28:13 +0900 (JST) (envelope-from suz@crl.hitachi.co.jp) Date: Thu, 18 Apr 2002 16:28:11 +0900 Message-ID: From: SUZUKI Shinsuke To: ru@FreeBSD.ORG, jayanth@FreeBSD.ORG Cc: freebsd-net@FreeBSD.ORG Subject: Questions on ip_output.c's patch for FreeBSD-SA-02:21.tcpip In-Reply-To: <200204171923.g3HJNg958905@freefall.freebsd.org> References: <200204171923.g3HJNg958905@freefall.freebsd.org> User-Agent: User-Agent: Wanderlust/2.9.9 (Unchained Melody) Emacs/21.1 Mule/5.0 (SAKAKI) Organization: IP Network Research Center, R & D Group, Hitachi, Ltd, Japan MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: multipart/mixed; boundary="Multipart_Thu_Apr_18_16:28:11_2002-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Multipart_Thu_Apr_18_16:28:11_2002-1 Content-Type: text/plain; charset=US-ASCII Hello all, #I'm not sure where to discuss this issue. So please forward this #mail or reply with CC for the appropriate person or ML. > FreeBSD-SA-02:21.tcpip Security Advisory > Topic: routing table memory leak > Category: core > Module: net > Announced: 2002-04-17 > Credits: Jayanth Vijayaraghavan > Ruslan Ermilov I have one proposal for this fix. In this patch, ip_output() is assumed to receive non-NULL rtentry argument from its caller. Two files are patched to support this, so there's no problem right now. However if some new module calls ip_output() carelessly with NULL rtentry argument, kernel would crash. I don't think it is a good change. KAME rewrote the attached patch to improve this point: - This memory leak is fixed, of course:-) (at least I confirmed on 5-current). - Non-NULL rtentry for ip_output() is still accepted. So only a patch in ip_output.c is enough. Could you please correct me if I'm wrong, or consider adopting this patch? (it's a patch for 5-current, but it's not so difficult to modify it for 4-stable and 4.5-release branch) Thanks, ---- SUZUKI, Shinsuke / KAME Project --Multipart_Thu_Apr_18_16:28:11_2002-1 Content-Type: text/plain; charset=US-ASCII Index: ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.154 diff -u -u -r1.154 ip_output.c --- ip_output.c 1 Apr 2002 21:31:06 -0000 1.154 +++ ip_output.c 18 Apr 2002 07:11:01 -0000 @@ -123,12 +123,12 @@ struct mbuf *m = m0; int hlen = sizeof (struct ip); int len, off, error = 0; + struct route iproute; struct sockaddr_in *dst; struct in_ifaddr *ia; int isbroadcast, sw_csum; struct in_addr pkt_dst; #ifdef IPSEC - struct route iproute; struct socket *so = NULL; struct secpolicy *sp = NULL; #endif @@ -189,9 +189,6 @@ #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) panic("ip_output no HDR"); - if (!ro) - panic("ip_output no route, proto = %d", - mtod(m, struct ip *)->ip_p); #endif if (opt) { m = ip_insertoptions(m, opt, &len); @@ -217,6 +214,11 @@ hlen = IP_VHL_HL(ip->ip_vhl) << 2; } + /* Route packet. */ + if (ro == NULL) { + ro = &iproute; + bzero(ro, sizeof(*ro)); + } dst = (struct sockaddr_in *)&ro->ro_dst; /* * If there is a cached route, @@ -1004,11 +1006,11 @@ ipstat.ips_fragmented++; } done: -#ifdef IPSEC if (ro == &iproute && ro->ro_rt) { RTFREE(ro->ro_rt); ro->ro_rt = NULL; } +#ifdef IPSEC if (sp != NULL) { KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP ip_output call free SP:%p\n", sp)); --Multipart_Thu_Apr_18_16:28:11_2002-1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message