diff options
author | Bruce M Simpson <bms@FreeBSD.org> | 2003-09-23 16:54:39 +0000 |
---|---|---|
committer | Bruce M Simpson <bms@FreeBSD.org> | 2003-09-23 16:54:39 +0000 |
commit | f1518e579174b7d10e7e52efe62e62a97d259f9e (patch) | |
tree | 3d4d37f2a517805c47c2ef8d6296e56f845bb9aa | |
parent | 45a8f75825568240d0a545a84b983c87236a542a (diff) | |
download | src-f1518e579174b7d10e7e52efe62e62a97d259f9e.tar.gz src-f1518e579174b7d10e7e52efe62e62a97d259f9e.zip |
Fix a bug in arplookup(), whereby a hostile party on a locally
attached network could exhaust kernel memory, and cause a system
panic, by sending a flood of spoofed ARP requests.
Approved by: security-officer, jake (mentor)
Reported by: Apple Product Security <product-security@apple.com>
Notes
Notes:
svn path=/releng/4.5/; revision=120385
-rw-r--r-- | UPDATING | 5 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/netinet/if_ether.c | 20 |
3 files changed, 20 insertions, 7 deletions
@@ -18,6 +18,11 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20030923: p33 FreeBSD-SA-03:14.arp + Fix a bug in arplookup(), whereby a hostile party on a locally + attached network could exhaust kernel memory, and cause a system + panic, by sending a flood of spoofed ARP requests. + 20030917: p32 FreeBSD-SA-03:13.sendmail Fix another address parsing buffer overflow. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index cd2bafc6d749..afb04f7eb0cd 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.5" -BRANCH="RELEASE-p32" +BRANCH="RELEASE-p33" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index c6a3cbee8a6c..2c37cbcbcbe6 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -814,12 +814,20 @@ arplookup(addr, create, proxy) else if (rt->rt_gateway->sa_family != AF_LINK) why = "gateway route is not ours"; - if (why && create) { - log(LOG_DEBUG, "arplookup %s failed: %s\n", - inet_ntoa(sin.sin_addr), why); - return 0; - } else if (why) { - return 0; + if (why) { + if (create) + log(LOG_DEBUG, "arplookup %s failed: %s\n", + inet_ntoa(sin.sin_addr), why); + + /* If there are no references to this route, purge it */ + if (rt->rt_refcnt <= 0 && + (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) { + rtrequest(RTM_DELETE, + (struct sockaddr *)rt_key(rt), + rt->rt_gateway, rt_mask(rt), + rt->rt_flags, 0); + } + return (0); } return ((struct llinfo_arp *)rt->rt_llinfo); } |