Fix a bug in arplookup(), whereby a hostile party on a locally

attached network could exhaust kernel memory, and cause a system panic, by sending a flood of spoofed ARP requests. Approved by: jake (mentor) Reported by: Apple Product Security <product-security@apple.com>
2003-09-23 16:39:31 +00:00 · 2003-09-23 16:39:31 +00:00 · fedf1d01a2
commit fedf1d01a2
parent b15572e3fc
2 changed files with 20 additions and 6 deletions
--- a/6
+++ b/6
@ -17,6 +17,12 @@ NOTE TO PEOPLE WHO THINK THAT 5.0-CURRENT IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.

+20030923:
+	Fix a bug in arplookup(), whereby a hostile party on a locally
+	attached network could exhaust kernel memory, and cause a system 
+	panic, by sending a flood of spoofed ARP requests. See
+	FreeBSD-SA-03:14.arp.
+
 20030915:
 	A change to /etc/defaults/rc.conf now causes inetd to be started
 	with `-C 60' if it is not overridden in /etc/rc.conf.  This
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@ -918,12 +918,20 @@ arplookup(addr, create, proxy)
 	else if (rt->rt_gateway->sa_family != AF_LINK)
 		why = "gateway route is not ours";

-	if (why && create) {
-		log(LOG_DEBUG, "arplookup %s failed: %s\n",
-		    inet_ntoa(sin.sin_addr), why);
-		return 0;
-	} else if (why) {
-		return 0;
+	if (why) {
+		if (create)
+			log(LOG_DEBUG, "arplookup %s failed: %s\n",
+			    inet_ntoa(sin.sin_addr), why);
+
+		/* If there are no references to this route, purge it */
+		if (rt->rt_refcnt <= 0 &&
+		    (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) {
+			rtrequest(RTM_DELETE,
+					(struct sockaddr *)rt_key(rt),
+					rt->rt_gateway, rt_mask(rt),
+					rt->rt_flags, 0);
+		}
+		return (0);
 	}
 	return ((struct llinfo_arp *)rt->rt_llinfo);
 }