This is the mail archive of the
libc-hacker@sourceware.cygnus.com
mailing list for the glibc project.
Re: RPC denial of service
- To: libc-hacker@cygnus.com
- Subject: Re: RPC denial of service
- From: Zack Weinberg <zack@rabi.phys.columbia.edu>
- Date: Sun, 17 May 1998 15:56:22 -0400
Here's how freebsd fixed it. The patch was made Friday, I doubt it's been
tested much at all; nor do I know if this code applies to our tree.
zw
------- Forwarded Message
Date: Sun, 17 May 1998 15:51:44 -0400
From: wpaul@ctr.columbia.edu (Bill Paul)
To: zack@rabi.phys.columbia.edu (Zack Weinberg)
Subject: Re: patches to freebsd libc to fix RPC denial of service
Here are patches for src/lib/libc/rpc/svc_tcp.c and
src/lib/libc/xdr/xdr_rec.c. For FreeBSD-current, there's a third patch
for src/lib/libc/rpc/svc_unix.c; FreeBSD 2.2.x doesn't have the "unix"
transport in it do you don't need it there. The change is identical
to the one to svc_tcp.c (except the routine that's changed is
svcunix_recv.c instead of svctcp_recv.c.
*** svc_tcp.c.orig Fri May 15 17:11:21 1998
--- svc_tcp.c Fri May 15 17:09:02 1998
***************
*** 404,409 ****
--- 404,410 ----
cd->x_id = msg->rm_xid;
return (TRUE);
}
+ cd->strm_stat = XPRT_DIED; /* XXXX */
return (FALSE);
}
*** xdr_rec.c.orig Fri May 15 17:43:57 1998
--- xdr_rec.c Fri May 15 17:47:58 1998
***************
*** 550,555 ****
--- 550,561 ----
return (FALSE);
header = (long)ntohl(header);
rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE;
+ /*
+ * Sanity check. Try not to accept wildly incorrect
+ * record sizes.
+ */
+ if ((header & (~LAST_FRAG)) > rstrm->recvsize)
+ return(FALSE);
rstrm->fbtbc = header & (~LAST_FRAG);
return (TRUE);
}
-Bill
--
=============================================================================
-Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu
Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
"Now, that's "Open" as used in the sentence "Open your wallet", right?"
=============================================================================
------- End of Forwarded Message