aboutsummaryrefslogtreecommitdiffstats
path: root/sys/netinet/if_ether.c
diff options
context:
space:
mode:
authorBruce M Simpson <bms@FreeBSD.org>2003-09-23 16:54:39 +0000
committerBruce M Simpson <bms@FreeBSD.org>2003-09-23 16:54:39 +0000
commit21a09e47d302eccbed398a94184487c31f4ac47b (patch)
tree4e26c582dc9a72c88ce0fab126399b1f4f3f375a /sys/netinet/if_ether.c
parent80b97c646ba4a8cccde5037cce46adf575cda630 (diff)
downloadsrc-21a09e47d302eccbed398a94184487c31f4ac47b.tar.gz
src-21a09e47d302eccbed398a94184487c31f4ac47b.zip
Fix a bug in arplookup(), whereby a hostile party on a locally
attached network could exhaust kernel memory, and cause a system panic, by sending a flood of spoofed ARP requests. Approved by: security-officer, jake (mentor) Reported by: Apple Product Security <product-security@apple.com>
Notes
Notes: svn path=/releng/4.6/; revision=120385
Diffstat (limited to 'sys/netinet/if_ether.c')
-rw-r--r--sys/netinet/if_ether.c20
1 files changed, 14 insertions, 6 deletions
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index 94f5d62f26c1..317e2f8260df 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -891,12 +891,20 @@ arplookup(addr, create, proxy)
else if (rt->rt_gateway->sa_family != AF_LINK)
why = "gateway route is not ours";
- if (why && create) {
- log(LOG_DEBUG, "arplookup %s failed: %s\n",
- inet_ntoa(sin.sin_addr), why);
- return 0;
- } else if (why) {
- return 0;
+ if (why) {
+ if (create)
+ log(LOG_DEBUG, "arplookup %s failed: %s\n",
+ inet_ntoa(sin.sin_addr), why);
+
+ /* If there are no references to this route, purge it */
+ if (rt->rt_refcnt <= 0 &&
+ (rt->rt_flags & RTF_WASCLONED) != RTF_WASCLONED) {
+ rtrequest(RTM_DELETE,
+ (struct sockaddr *)rt_key(rt),
+ rt->rt_gateway, rt_mask(rt),
+ rt->rt_flags, 0);
+ }
+ return (0);
}
return ((struct llinfo_arp *)rt->rt_llinfo);
}