(Copying list) Hi Richard,
Your patch is now committed. I also committed a fix for a couple of compiler problems from the last patch set that never made it into the code base for some reason. I'm fairly certain tip compiles cleanly now. Sorry for any trouble this oversight caused. John > -----Original Message----- > From: Richard Porter [mailto:richard.por...@thales-esecurity.com] > Sent: Wednesday, December 12, 2012 4:01 AM > To: john.calc...@gmail.com > Subject: Remote DOS crash in openslp > > Hi John > > This is an additional patch to the set I just posted to openslp-devel. > > We've recently performed some protocol fuzzing against openslp, and > recorded a crash in SLPDProcessMessage(). What seems to be happening is, > the SrvReg packet parser decides that the packet is not valid, and sets > errorcode. The lines marked 'TRICKY' then free the recvbuf as it was > duplicated earlier. Unfortunately, when the if statements unwind, the end > of the function checks if errorcode is set and then tries to log the now-freed > recvbuf, which segfaults. My fix is to set recvbuf=0 when it is freed, which > then short-circuits the SLPDLogMessage() function. > > I've attached a patch, and a way to reproduce the crash. > > - Richard > > Consider the environment before printing this mail. > > Thales e-Security Limited is incorporated in England and Wales with company > registration number 2518805. Its registered office is located at 2 Dashwood > Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey > KT15 2NX. > > The information contained in this e-mail is confidential. It may also be > privileged. It is intended only for the stated addressee(s) and access to it by > any other person is unauthorised. If you are not an addressee or the > intended addressee, you must not disclose, copy, circulate or in any other > way use or rely on the information contained in this e-mail. Such > unauthorised use may be unlawful. If you have received this e-mail in error, > please inform us immediately on +44 (0)1223 723600 and delete it and all > copies from your system. Commercial matters detailed or referred to in this > e-mail are subject to a written contract signed for and on behalf of Thales e- > Security Limited. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Openslp-devel mailing list Openslp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openslp-devel
