Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Mar 2004 10:40:14 -0800 (PST)
From:      Dmitry Morozovsky <marck@rinet.ru>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+roteflaps+verrevpath) (fwd)
Message-ID:  <200403171840.i2HIeEd2032169@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/64345; it has been noted by GNATS.

From: Dmitry Morozovsky <marck@rinet.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
 (fwd)
Date: Wed, 17 Mar 2004 21:32:18 +0300 (MSK)

 Forwarding misfiled message to audit-trail:
 
 Sincerely,
 D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 
 ---------- Forwarded message ----------
 Date: Wed, 17 Mar 2004 17:16:13 +0300 (MSK)
 From: Oleg Bulyzhin <oleg@rinet.ru>
 To: Dmitry Morozovsky <marck@rinet.ru>
 Cc: FreeBSD-gnats-submit@freebsd.org
 Subject: Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
 
 
 In order to reproduce problem do the following:
 
 ifconfig fxp0 10.0.0.1/24
 ipfw add 1 count verrevpath in
 
 while (true); do ping -c 2 -i 0.01 -S 10.0.0.1 localhost>/dev/null; ping -c 2 -i
  0.01 -S 127.0.0.1 localhost>/dev/null; route delete 10.0.0.1>/dev/null;netstat
  -rs|tail -1;vmstat -m|grep routetbl|tail -1;  done
 
 and look at numbers. If you run this script long enough (depends on your kernel
 memory size) you will get panic like this:
 
 panic: kmem_malloc(4096): kmem_map too small: 33554432 total allocated
 
 This happens due to verify_rev_path() calls rtalloc_ign() (for not cached
 routes) which increments rt_refcnt for corresponding rtentry structure.
 This lead to always 'held' routes which cannot be released by rtfree()
 (due to their rt_refcnt will never hit zero)
 
 P.S. this bug is remotely exploitable (at least if attacker is in your LAN).
 
 -- 
 Oleg.
 
 ================================================================
 === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru ===
 ================================================================

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403171840.i2HIeEd2032169>