ng_bridge(4) has an easily exploitable memory leak
Julian Elischer
julian at elischer.org
Wed Apr 7 12:29:50 PDT 2004
On Wed, 7 Apr 2004, Ruslan Ermilov wrote:
> Hi,
>
> On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
> and may quickly run system out of mbufs. It's enough to just
> have only one link connected to the bridge, e.g., the "upper"
> hook of the ng_ether(4) with IP address assigned, and pinging
> the broadcast IP address on the interface. The bug is more
> real when constructing a bridge, or, like we experienced it,
> by shutting down all except one bridge's link. The following
> patch fixes it:
>
> %%%
> Index: ng_bridge.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v
> retrieving revision 1.1.2.6
> diff -u -p -r1.1.2.6 ng_bridge.c
> --- ng_bridge.c 9 Jan 2004 08:58:06 -0000 1.1.2.6
> +++ ng_bridge.c 7 Apr 2004 12:29:46 -0000
> @@ -656,6 +656,11 @@ ng_bridge_rcvdata(hook_p hook, struct mb
> link->stats.recvUnknown++;
> }
>
> + /* If there's only one link, stop right here. */
> + if (priv->numLinks == 1) {
> + NG_FREE_DATA(m, meta);
> + return (0);
> + }
> /* Distribute unknown, multicast, broadcast pkts to all other links */
> for (linkNum = i = 0; i < priv->numLinks - 1; linkNum++) {
> struct ng_bridge_link *const destLink = priv->links[linkNum];
> %%%
>
> An alternate solution is to MFC most of ng_bridge.c,v 1.8. Julian?
what does an MFC diff look like?
(bridge is one of archies's nodes)
>
>
> Cheers,
> --
> Ruslan Ermilov
> ru at FreeBSD.org
> FreeBSD committer
>
More information about the freebsd-stable
mailing list