ng_bridge(4) has an easily exploitable memory leak
Julian Elischer
julian at elischer.org
Thu Apr 8 11:42:24 PDT 2004
looks good but:
+ if (destLink == firstLink) {
+ /*
+ * If we've sent all the others, send the
original
+ * on the first link we found.
+ */
+ NG_SEND_DATA(error, destLink->hook, m, meta);
+ break; /* always done last - not really
needed. */
+ } else {
+ NG_SEND_DATA(error, destLink->hook, m2, meta2);
+ }
couldn't this be avoided by previously doing:
+ if (linkNum == priv->numLinks) {
+ /* If we never saw a good link, leave. */
+ if (firstLink == NULL) {
+ NG_FREE_DATA(m, meta);
+ return (0);
+ }
+ destLink = firstLink;
---> m2 = m;
---> meta2 = meta;
---> m=NULL;
---> meta=NULL;
+ }
I leave it up to you to decide which you prefer, (but remember that
NG_SEND_DATA is a macro and expads somewhat.
specifically, to (sorry about linewrap):
#define NG_SEND_DATA(error, hook, m, meta) \
do {\
item_p _item; \
if ((_item = ng_package_data((m), (meta)))) {\
NG_FWD_ITEM_HOOK(error, _item, hook); \
} else { \
(error) = ENOMEM; \
}\
(m) = NULL; \
(meta) = NULL; \
} while (0)
where NG_FWD_ITEM_HOOK
itself expands to:
#define NG_FWD_ITEM_HOOK(error, item, hook) \
do { \
(error) = \
ng_address_hook(NULL, (item), (hook), 0); \
if (error == 0) { \
SAVE_LINE(item); \
(error) = ng_snd_item((item), 0); \
} \
(item) = NULL; \
} while (0)
so only having one of those saves a bit of code.
On Thu, 8 Apr 2004, Ruslan Ermilov wrote:
> On Wed, Apr 07, 2004 at 12:28:38PM -0700, Julian Elischer wrote:
> > On Wed, 7 Apr 2004, Ruslan Ermilov wrote:
> >
> > > On RELENG_4, ng_bridge(4) has an easily exploitable memory leak,
> > > and may quickly run system out of mbufs. It's enough to just
> > > have only one link connected to the bridge, e.g., the "upper"
> > > hook of the ng_ether(4) with IP address assigned, and pinging
> > > the broadcast IP address on the interface. The bug is more
> > > real when constructing a bridge, or, like we experienced it,
> > > by shutting down all except one bridge's link. The following
> > > patch fixes it:
> > >
> [snipped]
>
> > > An alternate solution is to MFC most of ng_bridge.c,v 1.8. Julian?
> >
> > what does an MFC diff look like?
> > (bridge is one of archies's nodes)
> >
> But it was _you_ who masked this bugfix (which would equally apply
> to RELENG_4 as well) under the "SMP preparation" emblem. ;)
>
> Anyway, the patch for RELENG_4 is attached. I've only compile tested
> it.
>
>
> Cheers,
> --
> Ruslan Ermilov
> ru at FreeBSD.org
> FreeBSD committer
>
More information about the freebsd-stable
mailing list