kern/100219: IPV6_PKTOPTIONS and possible mbuf exhaustion.
clemun at gmail.com
Thu Jul 13 17:40:18 UTC 2006
>Synopsis: IPV6_PKTOPTIONS and possible mbuf exhaustion.
>Arrival-Date: Thu Jul 13 17:40:15 GMT 2006
>Originator: Clément Lecigne
FreeBSD pouik 6.1-STABLE FreeBSD 6.1-STABLE #12: Thu Jul 13 10:02:47 CEST 2006 clem1 at pouik:/usr/obj/usr/src/sys/POUIK i386
When we call setsockopt() with IPV6_PKTOPTIONS and a huge optlen value, kernel will call soopt_getm(). This function will allocate plenty of mbuf (MGET), will hit the mbuf limit and will wait (M_TRYWAIT) until futher mbuf is available. At this point practically all mbuf are in use and networking applications may fail.
A similar issue has been described by James Juran (pr98858). However the proposed patch fixes the integer overflow (which can be more dangerous than a simple dos) and does not prevent users to use a huge int value in the 5th argument of setsockopt() to cause the same behavior described by James (with optlen = -1).
int main(int ac, char **av)
int s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
setsockopt(s, IPPROTO_IPV6, 25, 0xdeadbeef, 0x7fffffff);
Since the RFC3542 has removed IPV6_PKTOPTIONS, userland applications must not use this option anymore. I have not found IPv6 networking applications (i.e. ping6, rtadvd) that continue to use IPV6_PKTOPTIONS. So I think we can remove this option.
If not, we must put some limits on the sopt_valsize before calling soopt_getm().
More information about the freebsd-bugs