patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
		
			
				
	
	
		
			104 lines
		
	
	
	
		
			3.8 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			104 lines
		
	
	
	
		
			3.8 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| -----BEGIN PGP SIGNED MESSAGE-----
 | |
| 
 | |
| =============================================================================
 | |
| FreeBSD-SA-02:21.tcpip                                      Security Advisory
 | |
|                                                                 FreeBSD, Inc.
 | |
| 
 | |
| Topic:          routing table memory leak
 | |
| 
 | |
| Category:       core
 | |
| Module:         net
 | |
| Announced:      2002-04-17
 | |
| Credits:        Jayanth Vijayaraghavan <jayanth@FreeBSD.org>
 | |
|                 Ruslan Ermilov <ru@FreeBSD.org>
 | |
| Affects:        FreeBSD 4.5-RELEASE
 | |
|                 FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
 | |
|                     and prior to the correction date
 | |
| Corrected:      2002-03-22 16:54:19 UTC (RELENG_4)
 | |
|                 2002-04-15 17:12:08 UTC (RELENG_4_5)
 | |
| FreeBSD only:   YES
 | |
| 
 | |
| I.   Background
 | |
| 
 | |
| The TCP/IP stack's routing table records information about how to
 | |
| reach various destinations.  The first time a TCP connection is
 | |
| established with a particular host, a so-called "cloned route" entry
 | |
| for that host is automatically derived from one of the predefined
 | |
| routes and added to the table.  Each entry has a reference count that
 | |
| indicates how many existing connections use that entry; when the
 | |
| reference count reaches zero, the entry is removed from the table.
 | |
| 
 | |
| II.  Problem Description
 | |
| 
 | |
| A bug was introduced into ip_output() wherein the processing of an
 | |
| ICMP echo reply message would cause a reference count on a routing
 | |
| table entry to never be decremented.  Thus, memory allocated for the
 | |
| routing table entry was never deallocated.
 | |
| 
 | |
| III. Impact
 | |
| 
 | |
| This bug could be exploited to effect a remote denial of service
 | |
| attack.  An attacker could cause new routing table entries (for
 | |
| example, by taking advantage of TCP's route cloning behavior) and
 | |
| then utilize this bug to cause the route entry to never be
 | |
| deallocated.  In this fashion, the target system's memory can be
 | |
| exhausted.
 | |
| 
 | |
| IV.  Workaround
 | |
| 
 | |
| Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
 | |
| messages.
 | |
| 
 | |
| V.   Solution
 | |
| 
 | |
| 1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
 | |
| the RELENG_4_5 security branch dated after the respective correction
 | |
| dates.
 | |
| 
 | |
| 2) To patch your present system:
 | |
| 
 | |
| a) Download the relevant patch from the location below, and verify the
 | |
| detached PGP signature using your PGP utility.
 | |
| 
 | |
| [4.5-RELEASE,
 | |
|  4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc
 | |
| 
 | |
| b) Execute the following commands as root:
 | |
| 
 | |
| # cd /usr/src
 | |
| # patch < /path/to/patch
 | |
| 
 | |
| c) Recompile your kernel as described in
 | |
| http://www.freebsd.org/handbook/kernelconfig.html and reboot the
 | |
| system.
 | |
| 
 | |
| VI.  Correction details
 | |
| 
 | |
| The following list contains the revision numbers of each file that was
 | |
| corrected in FreeBSD.
 | |
| 
 | |
| Path                                                             Revision
 | |
|   Branch
 | |
| - -------------------------------------------------------------------------
 | |
| sys/netinet/ip_icmp.c
 | |
|   RELENG_4                                                      1.39.2.16
 | |
|   RELENG_4_5                                                1.39.2.14.2.1
 | |
| sys/netinet/ip_mroute.c
 | |
|   RELENG_4                                                       1.56.2.4
 | |
|   RELENG_4_5                                                 1.56.2.3.2.1
 | |
| sys/netinet/ip_output.c
 | |
|   RELENG_4                                                      1.99.2.29
 | |
|   RELENG_4_5                                                1.99.2.24.2.1
 | |
| - -------------------------------------------------------------------------
 | |
| -----BEGIN PGP SIGNATURE-----
 | |
| Version: GnuPG v1.0.6 (FreeBSD)
 | |
| Comment: For info see http://www.gnupg.org
 | |
| 
 | |
| iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D
 | |
| i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL
 | |
| i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W
 | |
| IFu9kJLMhMA=
 | |
| =qsYz
 | |
| -----END PGP SIGNATURE-----
 |