From oleg@rinet.ru  Wed Mar 17 06:16:16 2004
Return-Path: <oleg@rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D5B9216A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Mar 2004 06:16:16 -0800 (PST)
Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 25EE543D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Mar 2004 06:16:16 -0800 (PST)
	(envelope-from oleg@rinet.ru)
Received: from lath.rinet.ru (localhost [127.0.0.1])
	by lath.rinet.ru (8.12.9p2/8.12.9) with ESMTP id i2HEGE3Q010508
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 17 Mar 2004 17:16:14 +0300 (MSK)
	(envelope-from oleg@rinet.ru)
Received: from localhost (oleg@localhost)
	by lath.rinet.ru (8.12.9p2/8.12.9/Submit) with ESMTP id i2HEGDIa010505;
	Wed, 17 Mar 2004 17:16:13 +0300 (MSK)
	(envelope-from oleg@rinet.ru)
Message-Id: <20040317170503.W10391@lath.rinet.ru>
Date: Wed, 17 Mar 2004 17:16:13 +0300 (MSK)
From: Oleg Bulyzhin <oleg@rinet.ru>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@freebsd.org
In-Reply-To: <200403161620.i2GGKL4w018371@woozle.rinet.ru>
Subject: Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
References: <200403161620.i2GGKL4w018371@woozle.rinet.ru>

>Number:         64372
>Category:       kern
>Synopsis:       Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 17 06:20:20 PST 2004
>Closed-Date:    Mon Mar 29 09:33:40 PST 2004
>Last-Modified:  Mon Mar 29 09:33:40 PST 2004
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 In order to reproduce problem do the following:
 
 ifconfig fxp0 10.0.0.1/24
 ipfw add 1 count verrevpath in
 
 while (true); do ping -c 2 -i 0.01 -S 10.0.0.1 localhost>/dev/null; ping -c 2 -i
  0.01 -S 127.0.0.1 localhost>/dev/null; route delete 10.0.0.1>/dev/null;netstat
  -rs|tail -1;vmstat -m|grep routetbl|tail -1;  done
 
 and look at numbers. If you run this script long enough (depends on your kernel
 memory size) you will get panic like this:
 
 panic: kmem_malloc(4096): kmem_map too small: 33554432 total allocated
 
 This happens due to verify_rev_path() calls rtalloc_ign() (for not cached
 routes) which increments rt_refcnt for corresponding rtentry structure.
 This lead to always 'held' routes which cannot be released by rtfree()
 (due to their rt_refcnt will never hit zero)
 
 P.S. this bug is remotely exploitable (at least if attacker is in your LAN).
 
 -- 
 Oleg.
 
 ================================================================
 === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru ===
 ================================================================
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Mon Mar 29 09:32:24 PST 2004 
State-Changed-Why:  
Misfiled followup to kern/64345; text had already been copied over 
earlier. 


Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Mar 29 09:32:24 PST 2004 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=64372 
>Unformatted:
