lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 17 Apr 2003 11:44:13 +0200
From: Martin Schulze <joey@...odrom.org>
To: bugtraq@...urityfocus.com
Subject: Vulnerability in rinetd


Sam Hocevar discovered a security problem in rinetd, an IP connection
redirection server.  When the server maintains 64 connections and the
connection list is full, rinetd resizes the list in order to store the
new incoming connection.  However, this is done improperly, resulting
in a denial of service (rinetd may crash, hang or simply refuse new
connections) and potentially execution of arbitrary code.

The bug is triggered when 64 connections are active and a 65th is opened.

In rinetd.c:handleAccept(), when the connection list is full, rinetd
resizes it in order to store the current incoming connection.  There
are two problems in the code that performs the resizing:

  - one table (coClosing) is not resized.

  - after the resizing is done, the new index is set to a bad value
    that is outside the tables.

The bugfix is attached below.

Thomas Boutell released version 0.62 with this bugfix.

This problem is referenced as CAN-2003-0212 at the Common
Vulnerabilities and Exposures project.

--- rinetd.c.orig	2003-04-11 19:41:16.000000000 +0200
+++ rinetd.c	2003-04-11 19:41:08.000000000 +0200
@@ -1071,6 +1071,11 @@
 		{
 			goto shortage;
 		}
+		if (!SAFE_REALLOC(&coClosing, sizeof(int) * o, 
+			sizeof(int) * coTotal)) 
+		{
+			goto shortage;
+		}
 		if (!SAFE_REALLOC(&reClosed, sizeof(int) * o, 
 			sizeof(int) * coTotal)) 
 		{
@@ -1140,7 +1145,7 @@
 				goto shortage;
 			}
 		}
-		index = coTotal;
+		index = o;
 	}
 	coInputRPos[index] = 0;
 	coInputWPos[index] = 0;



Regards,

	Joey
	Debian Security

-- 
Let's call it an accidental feature.  -- Larry Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ