Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Aug 2000 20:23:20 -0400 (EDT)
From:      "David G. Andersen" <dga@lcs.mit.edu>
To:        freebsd-security@freebsd.org
Subject:   Log message improvement for rpc.statd
Message-ID:  <14747.12408.502747.852822@eep.lcs.mit.edu>
next in thread | raw e-mail | index | archive | help 

Just noticed that someone decided to try to be annoying with
my rpc.statd:

Aug 16 15:27:10 eep rpc.statd: invalid hostname to sm_stat:
^Xw^??^Xw^??^Yw^??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x
%8x%8x%236x%n%137x%n%10x%n%192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P

The thing that strikes me about this is that the logging doesn't
include the IP address which resolved to this hostname; in
/usr/src/usr.sbin/rpc.statd/procs.c:sm_stat_1_svc

if (gethostbyname(arg->mon_name)) res.res_stat = stat_succ;
else
{
    syslog(LOG_ERR, "invalid hostname to sm_stat: %s", arg->mon_name);
    res.res_stat = stat_fail;
}

Is there a reason not to add in a call to svc_getcaller()
to identify the IP address of the remote host?  It would
facilitate not only security, but debugging in general.

(My anoncvs doesn't appear to be working at the moment,
so I'm unable to check the history, but the version from
-current seems to have the same issue).

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science      http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14747.12408.502747.852822>