Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 May 1998 15:57:32 -0700 (PDT)
From:      Bill Paul <wpaul@FreeBSD.ORG>
To:        cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-lib@FreeBSD.ORG
Subject:   cvs commit: src/lib/libc/rpc svc_tcp.c svc_unix.c src/lib/libc/xdr xdr_rec.c
Message-ID:  <199805152257.PAA13380@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
wpaul       1998/05/15 15:57:32 PDT

  Modified files:
    lib/libc/rpc         svc_tcp.c svc_unix.c 
  Log:
  Patch RPC library to avoid possible denial of service attacks as described
  recently in BUGTRAQ. If a stream oriented transport fails to properly decode
  an RPC message header structure where there should be one, it should mark
  the stream as dead so that the connection will be dropped.
  
  Revision  Changes    Path
  1.12      +2 -1      src/lib/libc/rpc/svc_tcp.c
  1.3       +2 -1      src/lib/libc/rpc/svc_unix.c

  Modified files:
    lib/libc/xdr         xdr_rec.c 
  Log:
  Patch RPC library to avoid possible denial of service attacks as described
  recently in BUGTRAQ. The set_input_fragment() routine in the XDR record
  marking code blindly trusts that the first two bytes it sees will in fact
  be an actual record header and that the specified size will be sane. In
  fact, if you just telnet to a listening port of an RPC service and send a
  few carriage returns, set_input_fragment() will obtain a ridiculously large
  record size and sit there for a long time trying to read from the network.
  
  A sanity test is required: if the record size is larger than the receive
  buffer, punt.
  
  Revision  Changes    Path
  1.9       +7 -1      src/lib/libc/xdr/xdr_rec.c



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805152257.PAA13380>