Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » FreeBSD-SA-02:21.tcpip - routing table memory leak

FreeBSD-SA-02:21.tcpip - routing table memory leak

by Nikola Strahija on April 18th, 2002 A bug was introduced into ip_output() wherein the processing of an ICMP echo reply message would cause a reference count on a routing table entry to never be decremented. Thus, memory allocated for the routing table entry was never deallocated.


=============================================================================
FreeBSD-SA-02:21.tcpip Security Advisory
FreeBSD, Inc.

Topic: routing table memory leak

Category: core
Module: net
Announced: 2002-04-17
Credits: Jayanth Vijayaraghavan <[email protected]>
Ruslan Ermilov
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
and prior to the correction date
Corrected: 2002-03-22 16:54:19 UTC (RELENG_4)
2002-04-15 17:12:08 UTC (RELENG_4_5)
FreeBSD only: YES

I. Background

The TCP/IP stack's routing table records information about how to
reach various destinations. The first time a TCP connection is
established with a particular host, a so-called "cloned route" entry
for that host is automatically derived from one of the predefined
routes and added to the table. Each entry has a reference count that
indicates how many existing connections use that entry; when the
reference count reaches zero, the entry is removed from the table.

II. Problem Description

A bug was introduced into ip_output() wherein the processing of an
ICMP echo reply message would cause a reference count on a routing
table entry to never be decremented. Thus, memory allocated for the
routing table entry was never deallocated.

III. Impact

This bug could be exploited to effect a remote denial of service
attack. An attacker could cause new routing table entries (for
example, by taking advantage of TCP's route cloning behavior) and
then utilize this bug to cause the route entry to never be
deallocated. In this fashion, the target system's memory can be
exhausted.

IV. Workaround

Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
messages.

V. Solution

1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
the RELENG_4_5 security branch dated after the respective correction
dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[4.5-RELEASE,
4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
Branch
--------------------------------------------------------------------------
sys/netinet/ip_icmp.c
RELENG_4 1.39.2.16
RELENG_4_5 1.39.2.14.2.1
sys/netinet/ip_mroute.c
RELENG_4 1.56.2.4
RELENG_4_5 1.56.2.3.2.1
sys/netinet/ip_output.c
RELENG_4 1.99.2.29
RELENG_4_5 1.99.2.24.2.1
--------------------------------------------------------------------------


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »