Fix a bug in arplookup(), whereby a hostile party on a locally

attached network could exhaust kernel memory, and cause a system
panic, by sending a flood of spoofed ARP requests.

Approved by:	jake (mentor)
Reported by:	Apple Product Security <product-security@apple.com>

UPDATING

@@ -17,6 +17,12 @@ NOTE TO PEOPLE WHO THINK THAT 5.0-CURRENT IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.
 
+20030923:
+	Fix a bug in arplookup(), whereby a hostile party on a locally
+	attached network could exhaust kernel memory, and cause a system 
+	panic, by sending a flood of spoofed ARP requests. See
+	FreeBSD-SA-03:14.arp.
+
 20030915:
 	A change to /etc/defaults/rc.conf now causes inetd to be started
 	with `-C 60' if it is not overridden in /etc/rc.conf.  This

sys/netinet/if_ether.c

@@ -918,12 +918,20 @@ arplookup(addr, create, proxy)
 	else if (rt->rt_gateway->sa_family != AF_LINK)
 		why = "gateway route is not ours";
 
-	if (why && create) {
+	if (why) {
-		log(LOG_DEBUG, "arplookup %s failed: %s\n",
+		if (create)
-		    inet_ntoa(sin.sin_addr), why);
+			log(LOG_DEBUG, "arplookup %s failed: %s\n",
-		return 0;
+			    inet_ntoa(sin.sin_addr), why);
-	} else if (why) {
+
-		return 0;
+		/* If there are no references to this route, purge it */
+		if (rt->rt_refcnt <= 0 &&
+		    (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) {
+			rtrequest(RTM_DELETE,
+					(struct sockaddr *)rt_key(rt),
+					rt->rt_gateway, rt_mask(rt),
+					rt->rt_flags, 0);
+		}
+		return (0);
 	}
 	return ((struct llinfo_arp *)rt->rt_llinfo);
 }