From owner-svn-src-head@FreeBSD.ORG Thu Apr 25 18:33:35 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2AF2A52A; Thu, 25 Apr 2013 18:33:35 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by mx1.freebsd.org (Postfix) with ESMTP id 466FA1321; Thu, 25 Apr 2013 18:33:34 +0000 (UTC) Received: by mail-we0-f181.google.com with SMTP id m1so2831782wea.12 for ; Thu, 25 Apr 2013 11:33:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=tOQZeZ/zM9Zdykprb1ceEyAsLvdYS4iSIK8ZAaxMGl4=; b=jV7NK0UxwlxXqdIuEd2+dzRFZupl6tXgddW583F7HpnG8Fupc8sVCRB6Xg2Hy0G6rb y7mVh8gdI10xnR8hJeZq1H4ThY2s9QsyC6CKxHzS2Pdos+aLxemxNU8GKaR7Nnnjp8Ul tnRctU+Z/XiNaNJVnDORoayQ25ju9+CEhMH7O3GMs0FoACwBVhMsX5q74oBJrkYIMG2c MBVtqkMsx8LGP1jXGG+3Y22QEqoC+6TQpveQ0jePMR74zsklYh+0Nd6IA16k/9DvHacO YDNwIRrqWe9Hsma3xc6moRGD/cXcbxqkp5e8o5Z0y1CFbg2XEKTSlBjAafANtJpmdrwb gNkg== MIME-Version: 1.0 X-Received: by 10.194.93.68 with SMTP id cs4mr30409731wjb.17.1366914813365; Thu, 25 Apr 2013 11:33:33 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.217.58.138 with HTTP; Thu, 25 Apr 2013 11:33:33 -0700 (PDT) In-Reply-To: <201304251738.r3PHc4aM060344@svn.freebsd.org> References: <201304251738.r3PHc4aM060344@svn.freebsd.org> Date: Thu, 25 Apr 2013 11:33:33 -0700 X-Google-Sender-Auth: bUBe9gXr2LZSAQh3rebPRrIh9Gc Message-ID: Subject: Re: svn commit: r249903 - head/sys/netinet From: Adrian Chadd To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 18:33:35 -0000 .. is it possible to trigger a remote DoS through mbuf exhaustion somehow by exploiting this? Adrian On 25 April 2013 10:38, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Apr 25 17:38:04 2013 > New Revision: 249903 > URL: http://svnweb.freebsd.org/changeset/base/249903 > > Log: > Fix couple of mbuf leaks in incoming ARP processing. > > Modified: > head/sys/netinet/if_ether.c > > Modified: head/sys/netinet/if_ether.c > ============================================================================== > --- head/sys/netinet/if_ether.c Thu Apr 25 17:27:13 2013 (r249902) > +++ head/sys/netinet/if_ether.c Thu Apr 25 17:38:04 2013 (r249903) > @@ -558,13 +558,13 @@ in_arpinput(struct mbuf *m) > if (ah->ar_pln != sizeof(struct in_addr)) { > log(LOG_NOTICE, "in_arp: requested protocol length != %zu\n", > sizeof(struct in_addr)); > - return; > + goto drop; > } > > if (allow_multicast == 0 && ETHER_IS_MULTICAST(ar_sha(ah))) { > log(LOG_NOTICE, "arp: %*D is multicast\n", > ifp->if_addrlen, (u_char *)ar_sha(ah), ":"); > - return; > + goto drop; > } > > op = ntohs(ah->ar_op);