Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Nov 1999 11:53:37 +0100 (MET)
From:      xaa@xaa.iae.nl
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/14844: DoS: remote rwhod crash
Message-ID:  <19991112105337.043EABA23@esmeralda.xaa.iae.nl>

next in thread | raw e-mail | index | archive | help

>Number:         14844
>Category:       bin
>Synopsis:       rwhod is remotely crashable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 12 08:30:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Mark Huizer
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
MCGV Stack
>Environment:

	i386 running FreeBSD (alpha is not vulnerable)

>Description:

	Sending a too short rwho package to a little-endian machine
	will result in a SIGBUS, crashing rwhod

>How-To-Repeat:

	Take rwhod's code for sending rwho packages, but instead of the
	correct length (in the variable cc in line ~470), send e.g. 48.
	In the code for littl-endian machines the length of the
	user-list is calculated by:
	    (cc-WHDRSIZE)/sizeof(struct whoent)
	which, due to the sizeof(), returns an unsigned int, which
	results in a wrong loop a few lines later on)
	The patch below will just drop a short package and log it

>Fix:

Apply diff to current en stable

--- /usr/src/usr.sbin/rwhod/rwhod.c	Sat Aug 28 16:28:05 1999
+++ rwhod.c	Fri Nov 12 11:17:44 1999
@@ -281,6 +281,11 @@
 				ntohs(from.sin_port));
 			continue;
 		}
+		if (cc < WHDRSIZE) {
+			syslog(LOG_ERR, "Package too short from %x",
+				from.sin_addr);
+			continue;
+		}
 		if (wd.wd_vers != WHODVERSION)
 			continue;
 		if (wd.wd_type != WHODTYPE_STATUS)


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991112105337.043EABA23>