lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0311061432300.15902-100000@lcws.hpc.unm.edu>
Date: Thu, 6 Nov 2003 14:33:18 -0700 (MST)
From: Jim Prewett <download@....unm.edu>
To: bugtraq@...urityfocus.com
Subject: DoS for Ganglia


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Center for High Performance Computing at UNM / Dopesquad
                        Security Advisory

Wed Nov  5 13:10:35 MST 2003

Discovery made by: James E. Prewett (download@....unm.edu)
Product: Ganglia
Versions: 2.5.3 tested

There is an error in Ganglia's gmond such that specially crafted packets
will crash the service.

To reproduce this error, a packet must be sent advertising a user-defined
metric that has a name string of length 1.  This packet cannot be sent
from the standar d client utility that encodes a single character name
string as being 2 bytes (o ne for the name character, one for the 0x00
byte).  The hashval function (from lib/hash.c) returns the value of the
first character as the index into the hash array.  If the value of this
character is larger than the hash array, then an invalid pointer will be
used to lock the entry and gmond will segfault.

Here is where the error is at (in hash.c in the hashval function):

   hash_val = ((unsigned char *)key->data)[0];
   for ( i = 1; i < key->size ; i++ )
      hash_val = ( hash_val * 32 + ((unsigned char *)key->data)[i]) % 
hash->size
;


So, when the length of the key is 1, the modulus is never performed, so
hash_val is the value of the first character in the key.


- -- 
James Prewett
Systems Team Leader			Designated Security Officer
HPC Systems Engineer III @ HPC@UNM -- download@....unm.edu Jim@...wett.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/qr4hv/zdxjGBbZMRAsPnAJ9jqCJ5nBW7x12oJ9i/S02mDz+JPACfQh68
3QuKhfbAJ167pWmm5z0REnE=
=1Yw9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ