gnats/169: gnatsd crashes/potential DOS attack.

[celer]

>Number:         169
>Category:       gnats
>Synopsis:       gnatsd crashes/potential DOS attack.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 26 11:24:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     address@hidden
>Release:        3.113
>Organization:
>Environment:
Linux 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
>Description:
gnatsd crashes when entering text for the "CHEK" command. There are a number of 
issues with this command.
1. There appears to be a problem with parsing the tags and making sure that the 
returned values are not null pointers. 

For example pr[RESPONSIBLE].value in edit.c line 399 is not checked before it 
is used. Other uses of pr[*].value are not checked either. Causing gnatsd to 
crash. When gnatsd crashes it leaves files in tmp. Potentially filling up the 
file system and causing a DOS attack. 
>How-To-Repeat:
type this into gnatsd(either from the command prompt or from inetd)
CHEK

asfdsda


This is not the only means to make this occur. You can also cause this by 
filling in some of the tags and not others.


.

and you will get

CHEK
210 Ok.

asfdsda
.
Segmentation fault (core dumped)

>Fix:
Check for null pointers in check_pr from edit.c
>Release-Note:
>Audit-Trail:
>Unformatted: