TUCoPS :: BSD :: bsd5284.htm

FreeBSD routing table memory leak
19th Apr 2002 [SBWID-5284]
COMMAND

	FreeBSD routing table memory leak

SYSTEMS AFFECTED

	 FreeBSD 4.5-RELEASE

	 FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC

	 and prior to the correction date

	 Corrected: 2002-03-22 16:54:19 UTC (RELENG_4)

	            2002-04-15 17:12:08 UTC (RELENG_4_5)

	

PROBLEM

	In FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip :
	

	 Background

	 ==========

	

	The TCP/IP stack\'s routing  table  records  information  about  how  to
	reach  various  destinations.  The  first  time  a  TCP  connection   is
	established with a particular host, a so-called \"cloned  route\"  entry
	for that host is  automatically  derived  from  one  of  the  predefined
	routes and added to the table. Each entry has  a  reference  count  that
	indicates how  many  existing  connections  use  that  entry;  when  the
	reference count reaches zero, the entry is removed from the table.
	

	 Problem Description

	 ===================

	

	A bug was introduced into ip_output() wherein the processing of an  ICMP
	echo reply message would cause a reference  count  on  a  routing  table
	entry to never be decremented. Thus, memory allocated  for  the  routing
	table entry was never deallocated.
	

	 Impact

	 ======

	

	This bug could be  exploited  to  effect  a  remote  denial  of  service
	attack. An attacker could cause new routing table entries (for  example,
	by taking advantage of TCP\'s route cloning behavior) and  then  utilize
	this bug to cause the route entry  to  never  be  deallocated.  In  this
	fashion, the target system\'s memory can be exhausted.

SOLUTION

	 Workaround

	 ==========

	

	Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo messages.
	

	 Solution

	 ========

	

	1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or  the
	RELENG_4_5 security branch dated after the respective correction dates.
	

	2) To patch your present system:
	

	a) Download the relevant patch from the location below, and  verify  the
	detached PGP signature using your PGP utility.
	

	

	[4.5-RELEASE,

	 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc

	

	

	b) Execute the following commands as root:
	

	

	# cd /usr/src

	# patch < /path/to/patch

	

	

	c)      Recompile      your      kernel      as       described       in
	http://www.freebsd.org/handbook/kernelconfig.html   and    reboot    the
	system.
	

	 Correction details

	 ==================

	

	The following list contains the revision numbers of each file  that  was
	corrected in FreeBSD.
	

	

	Path                                                             Revision

	  Branch

	- -------------------------------------------------------------------------

	sys/netinet/ip_icmp.c

	  RELENG_4                                                      1.39.2.16

	  RELENG_4_5                                                1.39.2.14.2.1

	sys/netinet/ip_mroute.c

	  RELENG_4                                                       1.56.2.4

	  RELENG_4_5                                                 1.56.2.3.2.1

	sys/netinet/ip_output.c

	  RELENG_4                                                      1.99.2.29

	  RELENG_4_5                                                1.99.2.24.2.1

	- -------------------------------------------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH