Re: [Openslp-devel] Remote DOS crash in openslp
Brought to you by:
jcalcote
Menu
▾
▴
Re: [Openslp-devel] Remote DOS crash in openslp
|
From: John C. <joh...@gm...> - 2012-12-12 19:20:01
|
(copying list) In an attempt to begin doing more unit testing, I've added a unit test framework to slp_compare.c. This is nothing more than a test-main at the bottom of the source file. I've added six tests to start with, but many, many more could be added to give us better coverage of this utility module. John > -----Original Message----- > From: Matthew Pendlebury [mailto:Matthew.Pendlebury@thales- > esecurity.com] > Sent: Wednesday, December 12, 2012 8:37 AM > To: joh...@gm... > Cc: Richard Porter > Subject: RE: Re: Remote DOS crash in openslp > > Hi John, > > FWIW we were looking to see if we could find out what was causing the crash > noted in http://secunia.com/advisories/50130/ > and if that still occurred using the v2 protocol which is what we are using here > as the scant details of the vulnerability suggest a v1 issue. However there is > still a fair body of code in current version dating from v1.21 times especially in > the parsing utility routines. Figuring that if anyone other than the finder has > more details of that vulnerability it is probably yourself, then you might want > to quickly see if that cures this issue as well. > > Hope that helps > > --Matt > > > > > -----Original Message----- > > From: Richard Porter [mailto:Ric...@th...] > > Sent: 12 December 2012 15:18 > > To: Matthew Pendlebury > > Subject: Fwd: Re: Remote DOS crash in openslp > > > > > > > > > > -------- Original Message -------- > > Subject: Re: Remote DOS crash in openslp > > Date: Wed, 12 Dec 2012 15:15:37 +0000 > > From: John Calcote <joh...@gm...> > > To: Richard Porter <Ric...@th...> > > > > > > > > Thanks Richard. I''ll apply the patch this morning. > > > > Sent from my HTC One™ X+, an AT&T 4G LTE smartphone > > > > > > ----- Reply message ----- > > From: "Richard Porter" <Ric...@th...> > > To: <joh...@gm...> > > Subject: Remote DOS crash in openslp > > Date: Wed, Dec 12, 2012 4:00 AM > > > > > > Hi John > > > > This is an additional patch to the set I just posted to openslp-devel. > > > > We've recently performed some protocol fuzzing against openslp, and > > recorded a crash in SLPDProcessMessage(). What seems to be happening > > is, the SrvReg packet parser decides that the packet is not valid, and > > sets errorcode. The lines marked 'TRICKY' then free the recvbuf as it > > was duplicated earlier. Unfortunately, when the if statements unwind, > > the end of the function checks if errorcode is set and then tries to > > log the now-freed recvbuf, which segfaults. My fix is to set > > recvbuf=0 when it is freed, which then short-circuits the > SLPDLogMessage() function. > > > > I've attached a patch, and a way to reproduce the crash. > > > > - Richard > > > > Consider the environment before printing this mail. > > > > Thales e-Security Limited is incorporated in England and Wales with > > company registration number 2518805. Its registered office is located > > at > > 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. > > Weybridge, Surrey KT15 2NX. > > > > The information contained in this e-mail is confidential. It may also > > be privileged. It is intended only for the stated addressee(s) and > > access to it by any other person is unauthorised. If you are not an > > addressee or the intended addressee, you must not disclose, copy, > > circulate or in any other way use or rely on the information contained in this > e-mail. > > Such unauthorised use may be unlawful. If you have received this > > e-mail in error, please inform us immediately on +44 (0)1223 723600 > > and delete it and all copies from your system. Commercial matters > > detailed or referred to in this e-mail are subject to a written > > contract signed for and on behalf of Thales e-Security Limited. > > > > > Consider the environment before printing this mail. > > Thales e-Security Limited is incorporated in England and Wales with company > registration number 2518805. Its registered office is located at 2 Dashwood > Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey > KT15 2NX. > > The information contained in this e-mail is confidential. It may also be > privileged. It is intended only for the stated addressee(s) and access to it by > any other person is unauthorised. If you are not an addressee or the > intended addressee, you must not disclose, copy, circulate or in any other > way use or rely on the information contained in this e-mail. Such > unauthorised use may be unlawful. If you have received this e-mail in error, > please inform us immediately on +44 (0)1223 723600 and delete it and all > copies from your system. Commercial matters detailed or referred to in this > e-mail are subject to a written contract signed for and on behalf of Thales e- > Security Limited. |
