From nobody@FreeBSD.org  Thu Jul 13 17:33:39 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E51316A4DD
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Jul 2006 17:33:39 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 60A1143D69
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Jul 2006 17:33:34 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6DHXYuA033402
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Jul 2006 17:33:34 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6DHXYCe033400;
	Thu, 13 Jul 2006 17:33:34 GMT
	(envelope-from nobody)
Message-Id: <200607131733.k6DHXYCe033400@www.freebsd.org>
Date: Thu, 13 Jul 2006 17:33:34 GMT
From: Clment Lecigne <clemun@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPV6_PKTOPTIONS and possible mbuf exhaustion.
X-Send-Pr-Version: www-2.3

>Number:         100219
>Category:       kern
>Synopsis:       [ip6] IPV6_PKTOPTIONS and possible mbuf exhaustion.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 13 17:40:15 GMT 2006
>Closed-Date:    
>Last-Modified:  Sun May 18 05:04:38 UTC 2014
>Originator:     Clment Lecigne
>Release:        6.1-STABLE
>Organization:
>Environment:
FreeBSD pouik 6.1-STABLE FreeBSD 6.1-STABLE #12: Thu Jul 13 10:02:47 CEST 2006     clem1@pouik:/usr/obj/usr/src/sys/POUIK  i386

>Description:
When we call setsockopt() with IPV6_PKTOPTIONS and a huge optlen value,
kernel will call soopt_getm(). This function will allocate plenty of mbuf
(MGET), will hit the mbuf limit and will wait (M_TRYWAIT) until futher mbuf
is available. At this point practically all mbuf are in use and networking
applications may fail.

A similar issue has been described by James Juran (kern/98858). However the
proposed patch fixes the integer overflow (which can be more dangerous than
a simple dos) and does not prevent users to use a huge int value in the 5th
argument of setsockopt() to cause the same behavior described by James (with
optlen = -1).

>How-To-Repeat:
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int ac, char **av)
{
    int s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
    setsockopt(s, IPPROTO_IPV6, 25, 0xdeadbeef, 0x7fffffff);
}
>Fix:
Since the RFC3542 has removed IPV6_PKTOPTIONS, userland applications must
not use this option anymore. I have not found IPv6 networking applications
(i.e. ping6, rtadvd) that continue to use IPV6_PKTOPTIONS. So I think we
can remove this option.

If not, we must put some limits on the sopt_valsize before calling soopt_getm().


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Mar 8 20:27:57 UTC 2008 
Responsible-Changed-Why:  
Bjoern has recently been working with the IPv6 options code, pass it over 
to him to opine on. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100219 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:04:28 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100219 
>Unformatted:
