Date: Fri, 15 May 1998 15:57:32 -0700 (PDT) From: Bill Paul <wpaul@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-lib@FreeBSD.ORG Subject: cvs commit: src/lib/libc/rpc svc_tcp.c svc_unix.c src/lib/libc/xdr xdr_rec.c Message-ID: <199805152257.PAA13380@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
wpaul 1998/05/15 15:57:32 PDT
Modified files:
lib/libc/rpc svc_tcp.c svc_unix.c
Log:
Patch RPC library to avoid possible denial of service attacks as described
recently in BUGTRAQ. If a stream oriented transport fails to properly decode
an RPC message header structure where there should be one, it should mark
the stream as dead so that the connection will be dropped.
Revision Changes Path
1.12 +2 -1 src/lib/libc/rpc/svc_tcp.c
1.3 +2 -1 src/lib/libc/rpc/svc_unix.c
Modified files:
lib/libc/xdr xdr_rec.c
Log:
Patch RPC library to avoid possible denial of service attacks as described
recently in BUGTRAQ. The set_input_fragment() routine in the XDR record
marking code blindly trusts that the first two bytes it sees will in fact
be an actual record header and that the specified size will be sane. In
fact, if you just telnet to a listening port of an RPC service and send a
few carriage returns, set_input_fragment() will obtain a ridiculously large
record size and sit there for a long time trying to read from the network.
A sanity test is required: if the record size is larger than the receive
buffer, punt.
Revision Changes Path
1.9 +7 -1 src/lib/libc/xdr/xdr_rec.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805152257.PAA13380>