-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:21.tcpip Security Advisory
FreeBSD, Inc.
Topic: routing table memory leak
Category: core
Module: net
Announced: 2002-04-17
Credits: Jayanth Vijayaraghavan <jayanthat_private>
Ruslan Ermilov <ruat_private>
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
and prior to the correction date
Corrected: 2002-03-22 16:54:19 UTC (RELENG_4)
2002-04-15 17:12:08 UTC (RELENG_4_5)
FreeBSD only: YES
I. Background
The TCP/IP stack's routing table records information about how to
reach various destinations. The first time a TCP connection is
established with a particular host, a so-called "cloned route" entry
for that host is automatically derived from one of the predefined
routes and added to the table. Each entry has a reference count that
indicates how many existing connections use that entry; when the
reference count reaches zero, the entry is removed from the table.
II. Problem Description
A bug was introduced into ip_output() wherein the processing of an
ICMP echo reply message would cause a reference count on a routing
table entry to never be decremented. Thus, memory allocated for the
routing table entry was never deallocated.
III. Impact
This bug could be exploited to effect a remote denial of service
attack. An attacker could cause new routing table entries (for
example, by taking advantage of TCP's route cloning behavior) and
then utilize this bug to cause the route entry to never be
deallocated. In this fashion, the target system's memory can be
exhausted.
IV. Workaround
Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
messages.
V. Solution
1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
the RELENG_4_5 security branch dated after the respective correction
dates.
2) To patch your present system:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[4.5-RELEASE,
4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- -------------------------------------------------------------------------
sys/netinet/ip_icmp.c
RELENG_4 1.39.2.16
RELENG_4_5 1.39.2.14.2.1
sys/netinet/ip_mroute.c
RELENG_4 1.56.2.4
RELENG_4_5 1.56.2.3.2.1
sys/netinet/ip_output.c
RELENG_4 1.99.2.29
RELENG_4_5 1.99.2.24.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D
i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL
i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W
IFu9kJLMhMA=
=qsYz
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 11:25:55 PDT