From owner-freebsd-security  Wed Aug 16 17:23:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from eep.lcs.mit.edu (eep.lcs.mit.edu [18.31.0.114])
	by hub.freebsd.org (Postfix) with ESMTP id 51C3737B6DC
	for <freebsd-security@freebsd.org>; Wed, 16 Aug 2000 17:23:23 -0700 (PDT)
	(envelope-from dga@eep.lcs.mit.edu)
Received: (from dga@localhost)
	by eep.lcs.mit.edu (8.9.3/8.9.3) id UAA74582;
	Wed, 16 Aug 2000 20:23:20 -0400 (EDT)
	(envelope-from dga)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14747.12408.502747.852822@eep.lcs.mit.edu>
Date: Wed, 16 Aug 2000 20:23:20 -0400 (EDT)
From: "David G. Andersen" <dga@lcs.mit.edu>
To: freebsd-security@freebsd.org
Subject: Log message improvement for rpc.statd
X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Just noticed that someone decided to try to be annoying with
my rpc.statd:

Aug 16 15:27:10 eep rpc.statd: invalid hostname to sm_stat:
^Xw^??^Xw^??^Yw^??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x
%8x%8x%236x%n%137x%n%10x%n%192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P

The thing that strikes me about this is that the logging doesn't
include the IP address which resolved to this hostname; in
/usr/src/usr.sbin/rpc.statd/procs.c:sm_stat_1_svc

if (gethostbyname(arg->mon_name)) res.res_stat = stat_succ;
else
{
    syslog(LOG_ERR, "invalid hostname to sm_stat: %s", arg->mon_name);
    res.res_stat = stat_fail;
}

Is there a reason not to add in a call to svc_getcaller()
to identify the IP address of the remote host?  It would
facilitate not only security, but debugging in general.

(My anoncvs doesn't appear to be working at the moment,
so I'm unable to check the history, but the version from
-current seems to have the same issue).

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science      http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message