From owner-freebsd-bugs Fri Nov 12 8:30: 7 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 6B34614F92 for ; Fri, 12 Nov 1999 08:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id IAA88921; Fri, 12 Nov 1999 08:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from esmeralda.xaa.iae.nl (esmeralda.xaa.iae.nl [194.151.75.9]) by hub.freebsd.org (Postfix) with ESMTP id 48D4014F82 for ; Fri, 12 Nov 1999 08:26:18 -0800 (PST) (envelope-from xaa@xaa.iae.nl) Received: by esmeralda.xaa.iae.nl (Postfix, from userid 1002) id 043EABA23; Fri, 12 Nov 1999 11:53:37 +0100 (MET) Message-Id: <19991112105337.043EABA23@esmeralda.xaa.iae.nl> Date: Fri, 12 Nov 1999 11:53:37 +0100 (MET) From: xaa@xaa.iae.nl Reply-To: xaa@xaa.iae.nl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/14844: DoS: remote rwhod crash Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 14844 >Category: bin >Synopsis: rwhod is remotely crashable >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 12 08:30:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Mark Huizer >Release: FreeBSD 4.0-CURRENT i386 >Organization: MCGV Stack >Environment: i386 running FreeBSD (alpha is not vulnerable) >Description: Sending a too short rwho package to a little-endian machine will result in a SIGBUS, crashing rwhod >How-To-Repeat: Take rwhod's code for sending rwho packages, but instead of the correct length (in the variable cc in line ~470), send e.g. 48. In the code for littl-endian machines the length of the user-list is calculated by: (cc-WHDRSIZE)/sizeof(struct whoent) which, due to the sizeof(), returns an unsigned int, which results in a wrong loop a few lines later on) The patch below will just drop a short package and log it >Fix: Apply diff to current en stable --- /usr/src/usr.sbin/rwhod/rwhod.c Sat Aug 28 16:28:05 1999 +++ rwhod.c Fri Nov 12 11:17:44 1999 @@ -281,6 +281,11 @@ ntohs(from.sin_port)); continue; } + if (cc < WHDRSIZE) { + syslog(LOG_ERR, "Package too short from %x", + from.sin_addr); + continue; + } if (wd.wd_vers != WHODVERSION) continue; if (wd.wd_type != WHODTYPE_STATUS) >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message