kern/100098: ipfilter kernel memory leakage

Daniel Larsson Daniel.Larsson at servicefactory.com
Tue Jul 11 18:00:38 UTC 2006


>Number:         100098
>Category:       kern
>Synopsis:       ipfilter kernel memory leakage
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 18:00:36 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Larsson
>Release:        6.1
>Organization:
ServiceFactory AB
>Environment:
FreeBSD h180.servicefactory.se 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Sun Jun 18 22:43:51 EEST 2006     root at h180.servicefactory.se:/usr/obj/usr/src/sys/XEON  i386
>Description:
ipnat host mappings aren't always "garbage collected" due to ip_fil_freebsd.c:fr_fastroute incrementing the NAT entry reference counting with no corresponding decrement. The NAT entry will later be unhooked from the internal hash, but the corresponding host map will remain since nat_ref > 0.

fr_fastroute calls fr_checknatout under certain circumstances, and this call will increase the refcount on the NAT entry if it's being translated. fil.c does similar things, but it makes a fr_natderef call which decreases the refcount. This is missing from fr_fastroute.
>How-To-Repeat:
NAT router:/etc/ipnat.conf:
map fxp0 10.10.0.0/24 -> 192.168.0.1/32 portmap tcp/udp 9000:65500

>From 10.10.0.254 (with above machine as default route):
curl http://1.2.3.4

NAT router:
---
# ipnat -lv
..
List of active sessions:
..
MAP 10.10.0.254     63258 <- -> 192.168.0.1       9000  [1.2.3.4 80]

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

After a couple of minutes, when NAT entries have "timed out":
---
# ipnat -lv
..
List of active sessions:

List of active host mappings:
10.10.0.254,1.2.3.4 -> 192.168.0.1 (use = 1 hv = 201)
---

The NAT entry is gone, but the host mapping remains.
>Fix:
The following patch seems to fix the problem:

Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
===================================================================
RCS file: /var/cvs-freebsd/src/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 ip_fil_freebsd.c
--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	25 Apr 2005 18:15:15 -0000	1.1.1.1
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c	11 Jul 2006 16:33:42 -0000
@@ -1234,6 +1234,7 @@
 		case 0 :
 			break;
 		case 1 :
+			fr_natderef((nat_t **)&fin->fin_nat);
 			ip->ip_sum = 0;
 			break;
 		case -1 :

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list