From marck@woozle.rinet.ru  Tue Mar 16 08:20:24 2004
Return-Path: <marck@woozle.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7CA4816A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 16 Mar 2004 08:20:24 -0800 (PST)
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C5E4F43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 16 Mar 2004 08:20:23 -0800 (PST)
	(envelope-from marck@woozle.rinet.ru)
Received: from woozle.rinet.ru (localhost [127.0.0.1])
	by woozle.rinet.ru (8.12.10/8.12.10) with ESMTP id i2GGKLci018372;
	Tue, 16 Mar 2004 19:20:21 +0300 (MSK)
	(envelope-from marck@woozle.rinet.ru)
Received: (from marck@localhost)
	by woozle.rinet.ru (8.12.10/8.12.10/Submit) id i2GGKL4w018371;
	Tue, 16 Mar 2004 19:20:21 +0300 (MSK)
	(envelope-from marck)
Message-Id: <200403161620.i2GGKL4w018371@woozle.rinet.ru>
Date: Tue, 16 Mar 2004 19:20:21 +0300 (MSK)
From: Dmitry Morozovsky <marck@rinet.ru>
Reply-To: Dmitry Morozovsky <marck@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: oleg@rinet.ru
Subject: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         64345
>Category:       kern
>Synopsis:       4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 16 08:30:24 PST 2004
>Closed-Date:    Sun Apr 04 04:03:52 PDT 2004
>Last-Modified:  Sun Apr 04 04:03:52 PDT 2004
>Originator:     Dmitry Morozovsky
>Release:        FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE 


>Description:

The following error has been catched by Oleg Bulyzhin <oleg@rinet.ru>

It seems 4-STABLE leaks kernel memory in routing table while checking reverse
paths.  Our inter-vlan router with zebra/ospfd and 60+ VLANs exhausts default
100M of router table space in a couple of weeks.

Error does not belong to -current since verify_rev_path() has been implemented
different (and much cleaner) way.

>How-To-Repeat:
- build kernel or .ko with ipfw2
- add verrevpath checking rule
ipfw add 50 deny ip from any to any not verrevpath in
- use routing daemon with regular route update flow

-watch for kernel memory used by route table by
vmstat -m | grep rout | tail -1

>Fix:

The following patch seems to fix the problem for us.  However, others corner
cases may exist, so maybe just MFC ip_fw2.c:1.50 ?

Index: sys/netinet/ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.6.2.18
diff -u -r1.6.2.18 ip_fw2.c
--- sys/netinet/ip_fw2.c	17 Oct 2003 11:01:03 -0000	1.6.2.18
+++ sys/netinet/ip_fw2.c	16 Mar 2004 12:39:52 -0000
@@ -432,6 +432,7 @@
 
 	/* Check if we've cached the route from the previous call. */
 	if (src.s_addr != dst->sin_addr.s_addr) {
+		if (ro.ro_rt != NULL) RTFREE(ro.ro_rt);
 		ro.ro_rt = NULL;
 
 		bzero(dst, sizeof(*dst));
>Release-Note:
>Audit-Trail:

From: Dmitry Morozovsky <marck@rinet.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/64345: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
 (fwd)
Date: Wed, 17 Mar 2004 21:32:18 +0300 (MSK)

 Forwarding misfiled message to audit-trail:
 
 Sincerely,
 D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 
 ---------- Forwarded message ----------
 Date: Wed, 17 Mar 2004 17:16:13 +0300 (MSK)
 From: Oleg Bulyzhin <oleg@rinet.ru>
 To: Dmitry Morozovsky <marck@rinet.ru>
 Cc: FreeBSD-gnats-submit@freebsd.org
 Subject: Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
 
 
 In order to reproduce problem do the following:
 
 ifconfig fxp0 10.0.0.1/24
 ipfw add 1 count verrevpath in
 
 while (true); do ping -c 2 -i 0.01 -S 10.0.0.1 localhost>/dev/null; ping -c 2 -i
  0.01 -S 127.0.0.1 localhost>/dev/null; route delete 10.0.0.1>/dev/null;netstat
  -rs|tail -1;vmstat -m|grep routetbl|tail -1;  done
 
 and look at numbers. If you run this script long enough (depends on your kernel
 memory size) you will get panic like this:
 
 panic: kmem_malloc(4096): kmem_map too small: 33554432 total allocated
 
 This happens due to verify_rev_path() calls rtalloc_ign() (for not cached
 routes) which increments rt_refcnt for corresponding rtentry structure.
 This lead to always 'held' routes which cannot be released by rtfree()
 (due to their rt_refcnt will never hit zero)
 
 P.S. this bug is remotely exploitable (at least if attacker is in your LAN).
 
 -- 
 Oleg.
 
 ================================================================
 === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru ===
 ================================================================
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: kris 
Responsible-Changed-When: Wed Mar 17 15:08:15 PST 2004 
Responsible-Changed-Why:  
Assign to ipfw mailing list 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64345 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sun Apr 4 04:02:39 PDT 2004 
State-Changed-Why:  
Andre has fixed this bug in rev. 1.6.2.21 sys/netinet/ip_fw2.c.  Thanks 
for the report. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64345 
>Unformatted:
