Hi, in fact the patch provided is taken directly from MICO's source tree. See MICO's darcs repository and search for this patch:
Sun Jul 9 00:34:46 CEST 2006 Karel Gardas <[EMAIL PROTECTED]> * fix possible _non_existent call DoS vulnerability (reported by Christoph Becker) This patch fixes possible _non_existent call DoS vulnerability. The problem was observed when sending _non_existent message together with corrupted target object ID. Actual problem was to try to answer incorrectly initialized invocation which resulted in assert. The fix is to initialize invocation properly even in case of _non_existent call where we're not able to find appropriate OA and which is answered by the ORB itself. The issue was reported by Christoph Becker. Cheers, Karel Mark Lindner wrote: > ddserver: orb.cc:332: void > CORBA::ORBInvokeRec::set_answer_invoke(CORBA::InvokeStatus, CORBA::Object*, > CORBA::ORBRequest*, GIOP::AddressingDisposition): Assertion `_type == > RequestInvoke' failed. > > Has this been fixed yet in the codebase? The patch looks pretty simple... > > > http://secunia.com/advisories/20970/ > > -- > Mark Lindner > http://www.hyperrealm.com/ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Mico-devel mailing list > Mico-devel@mico.org > http://www.mico.org/mailman/listinfo/mico-devel -- Karel Gardas [EMAIL PROTECTED] ObjectSecurity Ltd. http://www.objectsecurity.com _______________________________________________ Mico-devel mailing list Mico-devel@mico.org http://www.mico.org/mailman/listinfo/mico-devel
