26th Sep 2002 [SBWID-5284]
COMMAND
	FreeBSD routing table memory leak
SYSTEMS AFFECTED
	 FreeBSD 4.5-RELEASE
	 FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
	 and prior to the correction date
	 Corrected: 2002-03-22 16:54:19 UTC (RELENG_4)
	            2002-04-15 17:12:08 UTC (RELENG_4_5)
PROBLEM
	In FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip :
	 Background
	 ==========
	The TCP/IP stack's routing table records information about how to  reach
	various destinations. The first time a  TCP  connection  is  established
	with a particular host, a so-called "cloned route" entry for  that  host
	is automatically derived from one of the predefined routes and added  to
	the table. Each entry has a reference  count  that  indicates  how  many
	existing connections use that entry; when the  reference  count  reaches
	zero, the entry is removed from the table.
	 Problem Description
	 ===================
	A bug was introduced into ip_output() wherein the processing of an  ICMP
	echo reply message would cause a reference  count  on  a  routing  table
	entry to never be decremented. Thus, memory allocated  for  the  routing
	table entry was never deallocated.
	 Impact
	 ======
	This bug could be  exploited  to  effect  a  remote  denial  of  service
	attack. An attacker could cause new routing table entries (for  example,
	by taking advantage of TCP's route cloning behavior)  and  then  utilize
	this bug to cause the route entry  to  never  be  deallocated.  In  this
	fashion, the target system's memory can be exhausted.
SOLUTION
	 Workaround
	 ==========
	Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo messages.
	 Solution
	 ========
	1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or  the
	RELENG_4_5 security branch dated after the respective correction dates.
	2) To patch your present system:
	a) Download the relevant patch from the location below, and  verify  the
	detached PGP signature using your PGP utility.
	
	[4.5-RELEASE,
	 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc
	
	b) Execute the following commands as root:
	
	# cd /usr/src
	# patch < /path/to/patch
	
	c)      Recompile      your      kernel      as       described       in
	http://www.freebsd.org/handbook/kernelconfig.html   and    reboot    the
	system.
	 Correction details
	 ==================
	The following list contains the revision numbers of each file  that  was
	corrected in FreeBSD.
	
	Path                                                             Revision
	  Branch
	- -------------------------------------------------------------------------
	sys/netinet/ip_icmp.c
	  RELENG_4                                                      1.39.2.16
	  RELENG_4_5                                                1.39.2.14.2.1
	sys/netinet/ip_mroute.c
	  RELENG_4                                                       1.56.2.4
	  RELENG_4_5                                                 1.56.2.3.2.1
	sys/netinet/ip_output.c
	  RELENG_4                                                      1.99.2.29
	  RELENG_4_5                                                1.99.2.24.2.1
	- -------------------------------------------------------------------------