Bug 64345

Summary: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)
Product: Base System Reporter: Dmitry Morozovsky <marck>
Component: kernAssignee: freebsd-ipfw (Nobody) <ipfw>
Status: Closed FIXED    
Severity: Affects Only Me CC: oleg
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Dmitry Morozovsky 2004-03-16 16:30:24 UTC 
The following error has been catched by Oleg Bulyzhin <oleg@rinet.ru>

It seems 4-STABLE leaks kernel memory in routing table while checking reverse
paths.  Our inter-vlan router with zebra/ospfd and 60+ VLANs exhausts default
100M of router table space in a couple of weeks.

Error does not belong to -current since verify_rev_path() has been implemented
different (and much cleaner) way.

Fix: The following patch seems to fix the problem for us.  However, others corner
cases may exist, so maybe just MFC ip_fw2.c:1.50 ?
How-To-Repeat: - build kernel or .ko with ipfw2
- add verrevpath checking rule
ipfw add 50 deny ip from any to any not verrevpath in
- use routing daemon with regular route update flow

-watch for kernel memory used by route table by
vmstat -m | grep rout | tail -1
Comment 1 Dmitry Morozovsky 2004-03-17 18:32:18 UTC 
Forwarding misfiled message to audit-trail:

Sincerely,
D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Wed, 17 Mar 2004 17:16:13 +0300 (MSK)
From: Oleg Bulyzhin <oleg@rinet.ru>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: 4.x IPFW2 kernel memory leak (IPFW2+rote flaps+verrevpath)


In order to reproduce problem do the following:

ifconfig fxp0 10.0.0.1/24
ipfw add 1 count verrevpath in

while (true); do ping -c 2 -i 0.01 -S 10.0.0.1 localhost>/dev/null; ping -c 2 -i
 0.01 -S 127.0.0.1 localhost>/dev/null; route delete 10.0.0.1>/dev/null;netstat
 -rs|tail -1;vmstat -m|grep routetbl|tail -1;  done

and look at numbers. If you run this script long enough (depends on your kernel
memory size) you will get panic like this:

panic: kmem_malloc(4096): kmem_map too small: 33554432 total allocated

This happens due to verify_rev_path() calls rtalloc_ign() (for not cached
routes) which increments rt_refcnt for corresponding rtentry structure.
This lead to always 'held' routes which cannot be released by rtfree()
(due to their rt_refcnt will never hit zero)

P.S. this bug is remotely exploitable (at least if attacker is in your LAN).

-- 
Oleg.

================================================================
=== Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru ===
================================================================
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2004-03-17 23:08:15 UTC 
Responsible Changed
From-To: freebsd-bugs->ipfw

Assign to ipfw mailing list
Comment 3 Maxim Konovalov freebsd_committer freebsd_triage 2004-04-04 12:02:39 UTC 
State Changed
From-To: open->closed

Andre has fixed this bug in rev. 1.6.2.21 sys/netinet/ip_fw2.c.  Thanks 
for the report.