Your message dated Mon, 19 Oct 2020 22:51:09 +0200
with message-id <3416343.Z1zflejWrS@sven-edge>
and subject line Re: Bug#972521: fastd: DoS'able memory leak on invalid packets
has caused the Debian Bug report #972521,
regarding fastd: DoS'able memory leak on invalid packets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
972521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972521
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fastd
Severity: important
Version: 17-4
fastd doesn't free receive buffers for invalid packets. This can lead to
memory exhaustion or (with v20) to an assert. From the release text:
The new buffer management of fastd v20 revealed that received packets with
an
invalid type code were handled incorrectly, leaking the packet buffer. This
lead
to an assertion failure as soon as the buffer pool was empty, crashing
fastd.
Older versions of fastd are affected as well, but display a different
behaviour:
instead of crashing, the buffer leaks will manifest as a regular memory
leak.
This can still be used for Denial of Service attacks, so a patch for older
versions will be provided, for the case that users can't or do not want to
update to a newer version yet.
The fix can also be found inside the attached mail.
Kind regards,
Sven--- Begin Message ---
Faster than expected, there is a new release of fastd, fixing a critial
Denial of Service (fastd crash) vulnerability. All users of fastd v20 must
update.
In fastd v19 and older, the same vulnerablity exists, but exploiting it
will cause a memory leak rather than an instant crash. Users that can't or
do not want to update to v21 yet should apply the patch that is attached to
this mail.
The release notes can be found at:
https://fastd.readthedocs.io/en/stable/releases/v21.html
The new release can be obtained via Git from
https://github.com/NeoRaider/fastd
or as a tarball:
https://github.com/NeoRaider/fastd/releases/download/v21/fastd-21.tar.xz
SHA256: 942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c
-- NeoRaider
From f6a2651fa91c472d04cb34264718f761669c8aa1 Mon Sep 17 00:00:00 2001
Message-Id: <f6a2651fa91c472d04cb34264718f761669c8aa1.1603136280.git.mschif...@universe-factory.net>
From: Matthias Schiffer <[email protected]>
Date: Mon, 19 Oct 2020 21:08:16 +0200
Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
For fastd versions before v20, this was just a memory leak (which could
still be used for DoS, as it's remotely triggerable). With the new
buffer management of fastd v20, this will trigger an assertion failure
instead as soon as the buffer pool is empty.
(cherry picked from commit 737925113363b6130879729cdff9ccc46c33eaea)
---
src/receive.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/receive.c b/src/receive.c
index ba92802186fb..5696747162bd 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -170,6 +170,11 @@ static inline void handle_socket_receive_known(
case PACKET_HANDSHAKE:
fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
+ break;
+
+ default:
+ fastd_buffer_free(buffer);
+ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
}
}
@@ -197,6 +202,11 @@ static inline void handle_socket_receive_unknown(
case PACKET_HANDSHAKE:
fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
+ break;
+
+ default:
+ fastd_buffer_free(buffer);
+ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
}
}
--
2.28.0
signature.asc
Description: OpenPGP digital signature
--- End Message ---
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: fastd
Source-Version: 21-1
Done: Sven Eckelmann <[email protected]>
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Oct 2020 21:47:58 +0200
Source: fastd
Architecture: source
Version: 21-1
Distribution: unstable
Urgency: high
Maintainer: Debian CommunityWLAN Team <[email protected]>
Changed-By: Sven Eckelmann <[email protected]>
Changes:
fastd (21-1) unstable; urgency=high
.
* New Upstream Version
- Fix crash (assert) when receiving too many invalid packets
Checksums-Sha1:
86e3526afcdd5e029a4c83245f4a784fb824479f 2118 fastd_21-1.dsc
685f538e46b32a1a63c86fbfbc7934d97a93a9a5 137660 fastd_21.orig.tar.xz
f9c38e8e1e410e9a54f092b53f946b8bc1f74a03 6784 fastd_21-1.debian.tar.xz
47e521cb5e55360739824f76c49fb1a4e95060dd 7569 fastd_21-1_source.buildinfo
Checksums-Sha256:
503249c0366679398819d5b3e7d38bf2a59d9cd7ca20d1ec0e68aeb002f45653 2118
fastd_21-1.dsc
942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c 137660
fastd_21.orig.tar.xz
803f8e8e37a53b55001cdd76c0edfc2d1498da045e800d91ca7e804d902276c8 6784
fastd_21-1.debian.tar.xz
30b46e89ce0da3b26dd88b813f611165d3f110b870041b04bb2abcfc417298b6 7569
fastd_21-1_source.buildinfo
Files:
ba245bab5393210f1e75b3c1f98a20e4 2118 net optional fastd_21-1.dsc
6342b9eae209327ce1d0ae99bc493425 137660 net optional fastd_21.orig.tar.xz
ea9046ee7838ee6e38cb2a65f830ab73 6784 net optional fastd_21-1.debian.tar.xz
0f9b4da78c305ceb4256a6397d56a035 7569 net optional fastd_21-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEF10rh2Elc9zjMuACXYcKB8Eme0YFAl+N7ggACgkQXYcKB8Em
e0bmjw//ZizLoG5D3L/kM6kD1OePBywBapBUyu2H86UpSdNExKC7i/Sob2kH4+DI
MldM04bUQ5tViieOGjtdIHicVe3HJKiM9lQZGl7MDWMteG02SQpYpQVIhKEzf+DS
/Eo+naZY0ttvJCEoeAN3CCkS98VoaK9RiynjlMUxmqC/kKmps/N5OFqevzh6g/ot
fFa9wUR2wQ9j2coJI+IplrkJTi3S6GmE9VWbj9ouaf2aLMAWFsl4h2BDHgG8IBFZ
plRT0ANHurBp6bNpJaPcRnndd0pqDjMRoA5/DkIMZTjEzWwKVVGo37wPvF5ac87t
vqfEcd4WbQ6EO26hd+4FxrbFXGqQ6b7fCXjg2BpnoFVGzy4w84e3xmT0s1KYxNmZ
ajKIdrzsl2tbxspdbB6MQonsYXMipw0jZvloI54ftvOe8E8E6sY4CvO61fCgfwFX
ZZ0kn8+1a0jIs/VGh/UgAOT/u+7xGJ9MJZ3mcabn3jNlqFy6E4546OnbX5BjPOmk
e1gCbxNehgroSom0vtOKhMqzjUiAJ4r4+is3w4gGPdyUO35eUVsvmfQS+gf4GBuc
ldPTMNBSHBtnwFtAT2p6oP7kZqe5fmC7XMOZFRXHYSe6HyBjLqW3h2ex5Kbi1cA5
UoS42nbZDlxwDw22WgMntdd4g2TN9KscmJo3AHyCVsRdG0wUdL0=
=GXef
-----END PGP SIGNATURE-----
--- End Message ---
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
