Security: DoS Attack against inn-2.2.1
Willi Langenberger
wlang at isis.wu-wien.ac.at
Fri Nov 19 19:13:47 UTC 1999
Hi!
[first, please excuse my bad english]
Yesterday I was wondering, why my inn server crashed shortly after the
startup. One day of debugging gave the following result: It is
possible to remotly crash the inn-2.2.1 innd with an article, which
contains the following headerline:
Distribution: ,
(as in article <942925094.1792snx at wang.pc.my>).
Further analyses:
innd/art.c:ARTpost
distributions = *p ? CommaSplit(p) : NULL;
will give:
distributions[0] is 0x0
distributions[1] is "" (a pointer to '\0')
this causes:
if (distributions) {
DISTparse(distributions, &Data);
if (ME.Distributions
&& !DISTwantany(ME.Distributions, distributions)) {
(void)sprintf(buff, "%d Unwanted distribution \"%s\"",
NNTP_REJECTIT_VAL,
MaxLength(distributions[0], distributions[0]));
to segfault in "strlen" called by MaxLength.
This is tested on a redhat-6.1 system with innd-2.2.1, which is feeded
by a HP-UX / innd-1.4unoff4.
If you have any questions about this bug, please don't hesitate to
contact me.
Appended is a small patch, which kind of works (the server crashes,
but next time the offending article is flushed). I think, there is at
least a second point, where the "Distribution: ," Header crashes the
server, but at least, that article is taken from the queue.
Greetings from Vienna,
\wlang{}
--
Willi.Langenberger at wu-wien.ac.at Fax: +43/1/31336/702
Zentrum fuer Informatikdienste, Wirtschaftsuniversitaet Wien, Austria
--- inn-2.2.1.ori/innd/art.c Sun Aug 8 23:56:53 1999
+++ inn-2.2.1/innd/art.c Fri Nov 19 15:29:24 1999
@@ -2285,7 +2285,13 @@
/* If we limit what distributions we get, see if we want this one. */
p = HDR(_distribution);
distributions = *p ? CommaSplit(p) : NULL;
- if (distributions) {
+ /* Problem: if "Distribution: " header consists only of a comma (",") then
+ CommaSplit gives: distribution[0] = 0x0 (distributions[1] = "").
+ this results in a segfault at the MaxLength(distributions[0],..)
+ call. workaround: add "&& distributions[0]" in the if below
+ 11/99, wlang
+ */
+ if (distributions && distributions[0]) {
DISTparse(distributions, &Data);
if (ME.Distributions
&& !DISTwantany(ME.Distributions, distributions)) {
More information about the inn-bugs
mailing list