Date: Wed, 7 Apr 2004 12:28:38 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: Julian Elischer <julian@FreeBSD.org> Subject: Re: ng_bridge(4) has an easily exploitable memory leak Message-ID: <Pine.BSF.4.21.0404071227420.34985-100000@InterJet.elischer.org> In-Reply-To: <20040407191003.GA1136@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Apr 2004, Ruslan Ermilov wrote:
> Hi,
>
> On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
> and may quickly run system out of mbufs. It's enough to just
> have only one link connected to the bridge, e.g., the "upper"
> hook of the ng_ether(4) with IP address assigned, and pinging
> the broadcast IP address on the interface. The bug is more
> real when constructing a bridge, or, like we experienced it,
> by shutting down all except one bridge's link. The following
> patch fixes it:
>
> %%%
> Index: ng_bridge.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v
> retrieving revision 1.1.2.6
> diff -u -p -r1.1.2.6 ng_bridge.c
> --- ng_bridge.c 9 Jan 2004 08:58:06 -0000 1.1.2.6
> +++ ng_bridge.c 7 Apr 2004 12:29:46 -0000
> @@ -656,6 +656,11 @@ ng_bridge_rcvdata(hook_p hook, struct mb
> link->stats.recvUnknown++;
> }
>
> + /* If there's only one link, stop right here. */
> + if (priv->numLinks == 1) {
> + NG_FREE_DATA(m, meta);
> + return (0);
> + }
> /* Distribute unknown, multicast, broadcast pkts to all other links */
> for (linkNum = i = 0; i < priv->numLinks - 1; linkNum++) {
> struct ng_bridge_link *const destLink = priv->links[linkNum];
> %%%
>
> An alternate solution is to MFC most of ng_bridge.c,v 1.8. Julian?
what does an MFC diff look like?
(bridge is one of archies's nodes)
>
>
> Cheers,
> --
> Ruslan Ermilov
> ru@FreeBSD.org
> FreeBSD committer
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0404071227420.34985-100000>