Archive of FreeBSD Security general posting, FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip

18/04/02, FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Date: Wed, 17 Apr 2002 12:23:42 -0700 (PDT)
Delivered-to: freebsd-security-notifications@freebsd.org
List-archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-id: <freebsd-security-notifications.FreeBSD.ORG>
List-subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security-notifications>
List-unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security-notifications>
Reply-to: postmaster@FreeBSD.ORG
Sender: owner-freebsd-security-notifications@FreeBSD.ORG

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:21.tcpip                                      Security Advisory
                                                                FreeBSD, Inc.

Topic:          routing table memory leak

Category:       core
Module:         net
Announced:      2002-04-17
Credits:        Jayanth Vijayaraghavan <jayanth@FreeBSD.org>
                Ruslan Ermilov <ru@FreeBSD.org>
Affects:        FreeBSD 4.5-RELEASE
                FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
                    and prior to the correction date
Corrected:      2002-03-22 16:54:19 UTC (RELENG_4)
                2002-04-15 17:12:08 UTC (RELENG_4_5)
FreeBSD only:   YES

I.   Background

The TCP/IP stack's routing table records information about how to
reach various destinations.  The first time a TCP connection is
established with a particular host, a so-called "cloned route" entry
for that host is automatically derived from one of the predefined
routes and added to the table.  Each entry has a reference count that
indicates how many existing connections use that entry; when the
reference count reaches zero, the entry is removed from the table.

II.  Problem Description

A bug was introduced into ip_output() wherein the processing of an
ICMP echo reply message would cause a reference count on a routing
table entry to never be decremented.  Thus, memory allocated for the
routing table entry was never deallocated.

III. Impact

This bug could be exploited to effect a remote denial of service
attack.  An attacker could cause new routing table entries (for
example, by taking advantage of TCP's route cloning behavior) and
then utilize this bug to cause the route entry to never be
deallocated.  In this fashion, the target system's memory can be
exhausted.

IV.  Workaround

Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
messages.

V.   Solution

1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
the RELENG_4_5 security branch dated after the respective correction
dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[4.5-RELEASE,
 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
sys/netinet/ip_icmp.c
  RELENG_4                                                      1.39.2.16
  RELENG_4_5                                                1.39.2.14.2.1
sys/netinet/ip_mroute.c
  RELENG_4                                                       1.56.2.4
  RELENG_4_5                                                 1.56.2.3.2.1
sys/netinet/ip_output.c
  RELENG_4                                                      1.99.2.29
  RELENG_4_5                                                1.99.2.24.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D
i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL
i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W
IFu9kJLMhMA=
=qsYz
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message



Previous message sorted by date: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache
Next message sorted by date: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED]
Previous message sorted by thread: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache
Next message by thread: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED]
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2003