(copying list)
In an attempt to begin doing more unit testing, I've added a unit test
framework to slp_compare.c. This is nothing more than a test-main at the bottom
of the source file. I've added six tests to start with, but many, many more
could be added to give us better coverage of this utility module.
John
-Original Message-
From: Matthew Pendlebury [mailto:Matthew.Pendlebury@thales-
esecurity.com]
Sent: Wednesday, December 12, 2012 8:37 AM
To: john.calc...@gmail.com
Cc: Richard Porter
Subject: RE: Re: Remote DOS crash in openslp
Hi John,
FWIW we were looking to see if we could find out what was causing the crash
noted in http://secunia.com/advisories/50130/
and if that still occurred using the v2 protocol which is what we are using
here
as the scant details of the vulnerability suggest a v1 issue. However there
is
still a fair body of code in current version dating from v1.21 times
especially in
the parsing utility routines. Figuring that if anyone other than the finder
has
more details of that vulnerability it is probably yourself, then you might
want
to quickly see if that cures this issue as well.
Hope that helps
--Matt
-Original Message-
From: Richard Porter [mailto:richard.por...@thales-esecurity.com]
Sent: 12 December 2012 15:18
To: Matthew Pendlebury
Subject: Fwd: Re: Remote DOS crash in openslp
Original Message
Subject: Re: Remote DOS crash in openslp
Date: Wed, 12 Dec 2012 15:15:37 +
From: John Calcote john.calc...@gmail.com
To: Richard Porter richard.por...@thales-esecurity.com
Thanks Richard. I''ll apply the patch this morning.
Sent from my HTC Oneā¢ X+, an ATT 4G LTE smartphone
- Reply message -
From: Richard Porter richard.por...@thales-esecurity.com
To: john.calc...@gmail.com
Subject: Remote DOS crash in openslp
Date: Wed, Dec 12, 2012 4:00 AM
Hi John
This is an additional patch to the set I just posted to openslp-devel.
We've recently performed some protocol fuzzing against openslp, and
recorded a crash in SLPDProcessMessage(). What seems to be happening
is, the SrvReg packet parser decides that the packet is not valid, and
sets errorcode. The lines marked 'TRICKY' then free the recvbuf as it
was duplicated earlier. Unfortunately, when the if statements unwind,
the end of the function checks if errorcode is set and then tries to
log the now-freed recvbuf, which segfaults. My fix is to set
recvbuf=0 when it is freed, which then short-circuits the
SLPDLogMessage() function.
I've attached a patch, and a way to reproduce the crash.
- Richard
Consider the environment before printing this mail.
Thales e-Security Limited is incorporated in England and Wales with
company registration number 2518805. Its registered office is located
at
2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr.
Weybridge, Surrey KT15 2NX.
The information contained in this e-mail is confidential. It may also
be privileged. It is intended only for the stated addressee(s) and
access to it by any other person is unauthorised. If you are not an
addressee or the intended addressee, you must not disclose, copy,
circulate or in any other way use or rely on the information contained in
this
e-mail.
Such unauthorised use may be unlawful. If you have received this
e-mail in error, please inform us immediately on +44 (0)1223 723600
and delete it and all copies from your system. Commercial matters
detailed or referred to in this e-mail are subject to a written
contract signed for and on behalf of Thales e-Security Limited.
Consider the environment before printing this mail.
Thales e-Security Limited is incorporated in England and Wales with company
registration number 2518805. Its registered office is located at 2 Dashwood
Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey
KT15 2NX.
The information contained in this e-mail is confidential. It may also be
privileged. It is intended only for the stated addressee(s) and access to it
by
any other person is unauthorised. If you are not an addressee or the
intended addressee, you must not disclose, copy, circulate or in any other
way use or rely on the information contained in this e-mail. Such
unauthorised use may be unlawful. If you have received this e-mail in error,
please inform us immediately on +44 (0)1223 723600 and delete it and all
copies from your system. Commercial matters detailed or referred to in this
e-mail are subject to a written contract signed for and on behalf of Thales e-
Security Limited.
--
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more