diff options
author | Bruce M Simpson <bms@FreeBSD.org> | 2003-09-23 20:08:42 +0000 |
---|---|---|
committer | Bruce M Simpson <bms@FreeBSD.org> | 2003-09-23 20:08:42 +0000 |
commit | abcf474963420a79a15436ee87198b5abf8fe95f (patch) | |
tree | da758c06786602365182f85ef840c5e9525d3572 | |
parent | 83f0aa230ca4cc8a6c2d6b385048cc780c1bef8e (diff) | |
download | src-abcf474963420a79a15436ee87198b5abf8fe95f.tar.gz src-abcf474963420a79a15436ee87198b5abf8fe95f.zip |
Fix a bug in arplookup(), whereby a hostile party on a locally
attached network could exhaust kernel memory, and cause a system
panic, by sending a flood of spoofed ARP requests.
Approved by: security-officer, jake (mentor)
Reported by: Apple Product Security <product-security@apple.com>
Notes
Notes:
svn path=/releng/5.0/; revision=120391
-rw-r--r-- | UPDATING | 5 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/netinet/if_ether.c | 20 |
3 files changed, 20 insertions, 7 deletions
@@ -17,6 +17,11 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20030923: p15 FreeBSD-SA-03:14.arp + Fix a bug in arplookup(), whereby a hostile party on a locally + attached network could exhaust kernel memory, and cause a system + panic, by sending a flood of spoofed ARP requests. + 20030917: p14 FreeBSD-SA-03:13.sendmail Fix another address parsing buffer overflow. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index e93788c0810b..8900d3ba2bad 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="5.0" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index 691bbff14763..d0dfea0b674e 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -921,12 +921,20 @@ arplookup(addr, create, proxy) else if (rt->rt_gateway->sa_family != AF_LINK) why = "gateway route is not ours"; - if (why && create) { - log(LOG_DEBUG, "arplookup %s failed: %s\n", - inet_ntoa(sin.sin_addr), why); - return 0; - } else if (why) { - return 0; + if (why) { + if (create) + log(LOG_DEBUG, "arplookup %s failed: %s\n", + inet_ntoa(sin.sin_addr), why); + + /* If there are no references to this route, purge it */ + if (rt->rt_refcnt <= 0 && + (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) { + rtrequest(RTM_DELETE, + (struct sockaddr *)rt_key(rt), + rt->rt_gateway, rt_mask(rt), + rt->rt_flags, 0); + } + return (0); } return ((struct llinfo_arp *)rt->rt_llinfo); } |