Security: DoS Attack against inn-2.2.1

Willi Langenberger wlang at isis.wu-wien.ac.at
Fri Nov 19 19:13:47 UTC 1999


Hi!

[first, please excuse my bad english]

Yesterday I was wondering, why my inn server crashed shortly after the
startup. One day of debugging gave the following result: It is
possible to remotly crash the inn-2.2.1 innd  with an article, which
contains the following headerline:

 Distribution: ,

(as in article <942925094.1792snx at wang.pc.my>).

Further analyses:
innd/art.c:ARTpost

    distributions = *p ? CommaSplit(p) : NULL;

will give:

 distributions[0] is 0x0
 distributions[1] is ""   (a pointer to '\0')

this causes:

    if (distributions) {
	DISTparse(distributions, &Data);
	if (ME.Distributions
	 && !DISTwantany(ME.Distributions, distributions)) {
	    (void)sprintf(buff, "%d Unwanted distribution \"%s\"",
		    NNTP_REJECTIT_VAL,
		    MaxLength(distributions[0], distributions[0]));

to segfault in "strlen" called by MaxLength.

This is tested on a redhat-6.1 system with innd-2.2.1, which is feeded
by a HP-UX / innd-1.4unoff4.


If you have any questions about this bug, please don't hesitate to
contact me.

Appended is a small patch, which kind of works (the server crashes,
but next time the offending article is flushed). I think, there is at
least a second point, where the "Distribution: ," Header crashes the
server, but at least, that article is taken from the queue.

Greetings from Vienna,


\wlang{}

-- 
Willi.Langenberger at wu-wien.ac.at                 Fax: +43/1/31336/702
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria

--- inn-2.2.1.ori/innd/art.c    Sun Aug  8 23:56:53 1999
+++ inn-2.2.1/innd/art.c        Fri Nov 19 15:29:24 1999
@@ -2285,7 +2285,13 @@
     /* If we limit what distributions we get, see if we want this one. */
     p = HDR(_distribution);
     distributions = *p ? CommaSplit(p) : NULL;
-    if (distributions) {
+    /* Problem: if "Distribution: " header consists only of a comma (",") then
+       CommaSplit gives: distribution[0] = 0x0 (distributions[1] = "").
+       this results in a segfault at the MaxLength(distributions[0],..)
+       call. workaround: add "&& distributions[0]" in the if below
+       11/99, wlang
+    */
+    if (distributions && distributions[0]) {
        DISTparse(distributions, &Data);
        if (ME.Distributions
         && !DISTwantany(ME.Distributions, distributions)) {


More information about the inn-bugs mailing list