Bug#972521: fastd: DoS'able memory leak on invalid packets

Mon, 19 Oct 2020 13:31:01 -0700 

Package: fastd
Severity: important
Version: 17-4

fastd doesn't free receive buffers for invalid packets. This can lead to 
memory exhaustion or (with v20) to an assert. From the release text: 

    The new buffer management of fastd v20 revealed that received packets with 
an
    invalid type code were handled incorrectly, leaking the packet buffer. This 
lead
    to an assertion failure as soon as the buffer pool was empty, crashing 
fastd.

    Older versions of fastd are affected as well, but display a different 
behaviour:
    instead of crashing, the buffer leaks will manifest as a regular memory 
leak.
    This can still be used for Denial of Service attacks, so a patch for older
    versions will be provided, for the case that users can't or do not want to
    update to a newer version yet.

The fix can also be found inside the attached mail.

Kind regards,
        Sven
--- Begin Message --- 
Faster than expected, there is a new release of fastd, fixing a critial
Denial of Service (fastd crash) vulnerability. All users of fastd v20 must
update.

In fastd v19 and older, the same vulnerablity exists, but exploiting it
will cause a memory leak rather than an instant crash. Users that can't or
do not want to update to v21 yet should apply the patch that is attached to
this mail.

The release notes can be found at:

  https://fastd.readthedocs.io/en/stable/releases/v21.html

The new release can be obtained via Git from

  https://github.com/NeoRaider/fastd

or as a tarball:

  https://github.com/NeoRaider/fastd/releases/download/v21/fastd-21.tar.xz
  SHA256: 942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c

-- NeoRaider





From f6a2651fa91c472d04cb34264718f761669c8aa1 Mon Sep 17 00:00:00 2001
Message-Id: <f6a2651fa91c472d04cb34264718f761669c8aa1.1603136280.git.mschif...@universe-factory.net>
From: Matthias Schiffer <mschif...@universe-factory.net>
Date: Mon, 19 Oct 2020 21:08:16 +0200
Subject: [PATCH] receive: fix buffer leak when receiving invalid packets

For fastd versions before v20, this was just a memory leak (which could
still be used for DoS, as it's remotely triggerable). With the new
buffer management of fastd v20, this will trigger an assertion failure
instead as soon as the buffer pool is empty.

(cherry picked from commit 737925113363b6130879729cdff9ccc46c33eaea)
---
 src/receive.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/receive.c b/src/receive.c
index ba92802186fb..5696747162bd 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -170,6 +170,11 @@ static inline void handle_socket_receive_known(
 
 	case PACKET_HANDSHAKE:
 		fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
+		break;
+
+	default:
+		fastd_buffer_free(buffer);
+		pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
 	}
 }
 
@@ -197,6 +202,11 @@ static inline void handle_socket_receive_unknown(
 
 	case PACKET_HANDSHAKE:
 		fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
+		break;
+
+	default:
+		fastd_buffer_free(buffer);
+		pr_debug("received packet with invalid type from unknown address %I", remote_addr);
 	}
 }
 
-- 
2.28.0

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to