Your message dated Wed, 21 Oct 2020 22:58:56 +0100
with message-id
<f21fe9e6bc0687ad2523189af5de777ab1833add.ca...@adam-barratt.org.uk>
and subject line Re: Bug#972652: stretch-pu: package fastd/18-2+deb9u1
has caused the Debian Bug report #972652,
regarding stretch-pu: package fastd/18-2+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
972652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972652
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
[ Reason ]
The new packet buffer code (and checks) in v20 revealed a long standing issue
in fastd: A buffer with an invalid packet will just leak.
This results in an assert with v20 and memory exhaustion in earlier versions.
While v21 (already in unstable) fixed it, the memory exhaustion is still a
problem for stable and oldstable.
[ Impact ]
The problem can be used to DoS a system. Only some handcrafted (invalid)
UDP packets have to be send to a server.
[ Tests ]
Tested on a server with an attacker which injects invalid packets on the
relevant UDP port. v20 "crashed" after a couple of packets. v18 (currently in
[old]stable) required a couple of minutes to exhaust all memory of the system.
Invalid packets can for example easily created using:
iperf -u -c target.server.example.net -p 10000 -t 3000 -b 40M
The problem went completely away after v21 was installed or the proposed
upload from this ticket was installed.
The stability test of the fixed version is ongoing.
[ Risks ]
None known at the moment
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Other info ]
See http://bugs.debian.org/972521 for the unstable bug.
I have not yet uploaded the change to stable but will do this after I get an
approval for the attached change.
Kind regards,
Svendiff -Nru fastd-18/debian/changelog fastd-18/debian/changelog
--- fastd-18/debian/changelog 2016-05-13 13:37:11.000000000 +0200
+++ fastd-18/debian/changelog 2020-10-19 22:42:50.000000000 +0200
@@ -1,3 +1,12 @@
+fastd (18-2+deb9u1) stretch; urgency=medium
+
+ * debian/patches:
+ - Add 0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch,
+ Fix DoS'able memory leak when receiving too many invalid packets
+ (Closes: #972521)
+
+ -- Sven Eckelmann <[email protected]> Mon, 19 Oct 2020 22:42:50 +0200
+
fastd (18-2) unstable; urgency=medium
* Fix operation under systemd (Closes: #823801).
diff -Nru fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch
--- fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 1970-01-01 01:00:00.000000000 +0100
+++ fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 2020-10-19 22:42:50.000000000 +0200
@@ -0,0 +1,43 @@
+From: Matthias Schiffer <[email protected]>
+Date: Mon, 19 Oct 2020 21:08:16 +0200
+Subject: receive: fix buffer leak when receiving invalid packets
+
+For fastd versions before v20, this was just a memory leak (which could
+still be used for DoS, as it's remotely triggerable). With the new
+buffer management of fastd v20, this will trigger an assertion failure
+instead as soon as the buffer pool is empty.
+
+Origin: upstream, https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea
+Bug-Debian: https://bugs.debian.org/972521
+---
+ src/receive.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/receive.c b/src/receive.c
+index 732d4a7..a3ecfe3 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -186,6 +186,11 @@ static inline void handle_socket_receive_known(fastd_socket_t *sock, const fastd
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
+ }
+ }
+
+@@ -211,6 +216,11 @@ static inline void handle_socket_receive_unknown(fastd_socket_t *sock, const fas
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
+ }
+ }
+
diff -Nru fastd-18/debian/patches/series fastd-18/debian/patches/series
--- fastd-18/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ fastd-18/debian/patches/series 2020-10-19 22:42:50.000000000 +0200
@@ -0,0 +1 @@
+0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Wed, 2020-10-21 at 22:34 +0200, Sven Eckelmann wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: [email protected]
> Usertags: pu
stretch has been handled by the LTS Team since July, so you'll need to
discuss any possible updates to packages there with them. See
https://wiki.debian.org/LTS
Regards,
Adam
--- End Message ---
