[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnats/169: gnatsd crashes/potential DOS attack.
From: |
celer |
Subject: |
gnats/169: gnatsd crashes/potential DOS attack. |
Date: |
26 Mar 2001 19:18:08 -0000 |
>Number: 169
>Category: gnats
>Synopsis: gnatsd crashes/potential DOS attack.
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 26 11:24:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: address@hidden
>Release: 3.113
>Organization:
>Environment:
Linux 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
>Description:
gnatsd crashes when entering text for the "CHEK" command. There are a number of
issues with this command.
1. There appears to be a problem with parsing the tags and making sure that the
returned values are not null pointers.
For example pr[RESPONSIBLE].value in edit.c line 399 is not checked before it
is used. Other uses of pr[*].value are not checked either. Causing gnatsd to
crash. When gnatsd crashes it leaves files in tmp. Potentially filling up the
file system and causing a DOS attack.
>How-To-Repeat:
type this into gnatsd(either from the command prompt or from inetd)
CHEK
asfdsda
This is not the only means to make this occur. You can also cause this by
filling in some of the tags and not others.
.
and you will get
CHEK
210 Ok.
asfdsda
.
Segmentation fault (core dumped)
>Fix:
Check for null pointers in check_pr from edit.c
>Release-Note:
>Audit-Trail:
>Unformatted:
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- gnats/169: gnatsd crashes/potential DOS attack.,
celer <=