Date: Fri, 12 Nov 1999 11:53:37 +0100 (MET) From: xaa@xaa.iae.nl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/14844: DoS: remote rwhod crash Message-ID: <19991112105337.043EABA23@esmeralda.xaa.iae.nl>
index | next in thread | raw e-mail
>Number: 14844
>Category: bin
>Synopsis: rwhod is remotely crashable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 12 08:30:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Mark Huizer
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
MCGV Stack
>Environment:
i386 running FreeBSD (alpha is not vulnerable)
>Description:
Sending a too short rwho package to a little-endian machine
will result in a SIGBUS, crashing rwhod
>How-To-Repeat:
Take rwhod's code for sending rwho packages, but instead of the
correct length (in the variable cc in line ~470), send e.g. 48.
In the code for littl-endian machines the length of the
user-list is calculated by:
(cc-WHDRSIZE)/sizeof(struct whoent)
which, due to the sizeof(), returns an unsigned int, which
results in a wrong loop a few lines later on)
The patch below will just drop a short package and log it
>Fix:
Apply diff to current en stable
--- /usr/src/usr.sbin/rwhod/rwhod.c Sat Aug 28 16:28:05 1999
+++ rwhod.c Fri Nov 12 11:17:44 1999
@@ -281,6 +281,11 @@
ntohs(from.sin_port));
continue;
}
+ if (cc < WHDRSIZE) {
+ syslog(LOG_ERR, "Package too short from %x",
+ from.sin_addr);
+ continue;
+ }
if (wd.wd_vers != WHODVERSION)
continue;
if (wd.wd_type != WHODTYPE_STATUS)
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112105337.043EABA23>