From mboxrd@z Thu Jan 1 00:00:00 1970 From: celer@scrypt.net To: gnats-gnats@sourceware.cygnus.com Subject: gnats/169: gnatsd crashes/potential DOS attack. Date: Mon, 26 Mar 2001 11:24:00 -0000 Message-id: <20010326191808.16762.qmail@sourceware.cygnus.com> X-SW-Source: 2001-q1/msg00050.html List-Id: >Number: 169 >Category: gnats >Synopsis: gnatsd crashes/potential DOS attack. >Confidential: no >Severity: critical >Priority: high >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Mon Mar 26 11:24:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: celer@scrypt.net >Release: 3.113 >Organization: >Environment: Linux 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown >Description: gnatsd crashes when entering text for the "CHEK" command. There are a number of issues with this command. 1. There appears to be a problem with parsing the tags and making sure that the returned values are not null pointers. For example pr[RESPONSIBLE].value in edit.c line 399 is not checked before it is used. Other uses of pr[*].value are not checked either. Causing gnatsd to crash. When gnatsd crashes it leaves files in tmp. Potentially filling up the file system and causing a DOS attack. >How-To-Repeat: type this into gnatsd(either from the command prompt or from inetd) CHEK asfdsda This is not the only means to make this occur. You can also cause this by filling in some of the tags and not others. . and you will get CHEK 210 Ok. asfdsda . Segmentation fault (core dumped) >Fix: Check for null pointers in check_pr from edit.c >Release-Note: >Audit-Trail: >Unformatted: