100219 – [ip6] IPV6_PKTOPTIONS and possible mbuf exhaustion.

Bug 100219 - [ip6] IPV6_PKTOPTIONS and possible mbuf exhaustion.

Summary: [ip6] IPV6_PKTOPTIONS and possible mbuf exhaustion.

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	6.1-STABLE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	George V. Neville-Neil

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-13 18:40 UTC by Clément Lecigne
Modified:	2019-01-19 06:40 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Clément Lecigne 2006-07-13 18:40:15 UTC

When we call setsockopt() with IPV6_PKTOPTIONS and a huge optlen value,
kernel will call soopt_getm(). This function will allocate plenty of mbuf
(MGET), will hit the mbuf limit and will wait (M_TRYWAIT) until futher mbuf
is available. At this point practically all mbuf are in use and networking
applications may fail.

A similar issue has been described by James Juran (kern/98858). However the
proposed patch fixes the integer overflow (which can be more dangerous than
a simple dos) and does not prevent users to use a huge int value in the 5th
argument of setsockopt() to cause the same behavior described by James (with
optlen = -1).

Fix: 

Since the RFC3542 has removed IPV6_PKTOPTIONS, userland applications must
not use this option anymore. I have not found IPv6 networking applications
(i.e. ping6, rtadvd) that continue to use IPV6_PKTOPTIONS. So I think we
can remove this option.

If not, we must put some limits on the sopt_valsize before calling soopt_getm().
How-To-Repeat: #include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int ac, char **av)
{
    int s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
    setsockopt(s, IPPROTO_IPV6, 25, 0xdeadbeef, 0x7fffffff);
}

Comment 1 Robert Watson freebsd_committer

2008-03-08 20:27:57 UTC

Responsible Changed
From-To: freebsd-bugs->bz

Bjoern has recently been working with the IPv6 options code, pass it over 
to him to opine on.

Comment 2 Bjoern A. Zeeb freebsd_committer

2014-05-18 06:04:28 UTC

Responsible Changed
From-To: bz->gnn

I shall not use bugzilla (at least until we will have a CLI).

Comment 3 commit-hook freebsd_committer

2016-10-17 23:25:36 UTC

A commit references this bug:

Author: gnn
Date: Mon Oct 17 23:25:32 UTC 2016
New revision: 307541
URL: https://svnweb.freebsd.org/changeset/base/307541

Log:
  Limit the number of mbufs that can be allocated for IPV6_2292PKTOPTIONS
  (and IPV6_PKTOPTIONS).

  PR:		100219
  Submitted by:	Joseph Kong
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D5157

Changes:
  head/sys/netinet6/ip6_output.c

Comment 4 commit-hook freebsd_committer

2016-11-23 13:14:58 UTC

A commit references this bug:

Author: gnn
Date: Wed Nov 23 13:14:19 UTC 2016
New revision: 309057
URL: https://svnweb.freebsd.org/changeset/base/309057

Log:
  MFC: 307541

  Limit the number of mbufs that can be allocated for IPV6_2292PKTOPTIONS
  (and IPV6_PKTOPTIONS).

  PR:		100219
  Submitted by:	Joseph Kong

Changes:
_U  stable/11/
  stable/11/sys/netinet6/ip6_output.c

Comment 5 Eitan Adler freebsd_committer

2018-05-28 19:50:28 UTC

batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.

Comment 6 Oleksandr Tymoshenko freebsd_committer

2019-01-19 06:40:08 UTC

Looks like fix has been committed. Closing as fixed