(copying list) In an attempt to begin doing more unit testing, I've added a unit test framework to slp_compare.c. This is nothing more than a test-main at the bottom of the source file. I've added six tests to start with, but many, many more could be added to give us better coverage of this utility module.
John > -----Original Message----- > From: Matthew Pendlebury [mailto:Matthew.Pendlebury@thales- > esecurity.com] > Sent: Wednesday, December 12, 2012 8:37 AM > To: john.calc...@gmail.com > Cc: Richard Porter > Subject: RE: Re: Remote DOS crash in openslp > > Hi John, > > FWIW we were looking to see if we could find out what was causing the crash > noted in http://secunia.com/advisories/50130/ > and if that still occurred using the v2 protocol which is what we are using > here > as the scant details of the vulnerability suggest a v1 issue. However there > is > still a fair body of code in current version dating from v1.21 times > especially in > the parsing utility routines. Figuring that if anyone other than the finder > has > more details of that vulnerability it is probably yourself, then you might > want > to quickly see if that cures this issue as well. > > Hope that helps > > --Matt > > > > > -----Original Message----- > > From: Richard Porter [mailto:richard.por...@thales-esecurity.com] > > Sent: 12 December 2012 15:18 > > To: Matthew Pendlebury > > Subject: Fwd: Re: Remote DOS crash in openslp > > > > > > > > > > -------- Original Message -------- > > Subject: Re: Remote DOS crash in openslp > > Date: Wed, 12 Dec 2012 15:15:37 +0000 > > From: John Calcote <john.calc...@gmail.com> > > To: Richard Porter <richard.por...@thales-esecurity.com> > > > > > > > > Thanks Richard. I''ll apply the patch this morning. > > > > Sent from my HTC Oneā¢ X+, an AT&T 4G LTE smartphone > > > > > > ----- Reply message ----- > > From: "Richard Porter" <richard.por...@thales-esecurity.com> > > To: <john.calc...@gmail.com> > > Subject: Remote DOS crash in openslp > > Date: Wed, Dec 12, 2012 4:00 AM > > > > > > Hi John > > > > This is an additional patch to the set I just posted to openslp-devel. > > > > We've recently performed some protocol fuzzing against openslp, and > > recorded a crash in SLPDProcessMessage(). What seems to be happening > > is, the SrvReg packet parser decides that the packet is not valid, and > > sets errorcode. The lines marked 'TRICKY' then free the recvbuf as it > > was duplicated earlier. Unfortunately, when the if statements unwind, > > the end of the function checks if errorcode is set and then tries to > > log the now-freed recvbuf, which segfaults. My fix is to set > > recvbuf=0 when it is freed, which then short-circuits the > SLPDLogMessage() function. > > > > I've attached a patch, and a way to reproduce the crash. > > > > - Richard > > > > Consider the environment before printing this mail. > > > > Thales e-Security Limited is incorporated in England and Wales with > > company registration number 2518805. Its registered office is located > > at > > 2 Dashwood Lang Road, The Bourne Business Park, Addlestone, Nr. > > Weybridge, Surrey KT15 2NX. > > > > The information contained in this e-mail is confidential. It may also > > be privileged. It is intended only for the stated addressee(s) and > > access to it by any other person is unauthorised. If you are not an > > addressee or the intended addressee, you must not disclose, copy, > > circulate or in any other way use or rely on the information contained in > > this > e-mail. > > Such unauthorised use may be unlawful. If you have received this > > e-mail in error, please inform us immediately on +44 (0)1223 723600 > > and delete it and all copies from your system. Commercial matters > > detailed or referred to in this e-mail are subject to a written > > contract signed for and on behalf of Thales e-Security Limited. > > > > > Consider the environment before printing this mail. > > Thales e-Security Limited is incorporated in England and Wales with company > registration number 2518805. Its registered office is located at 2 Dashwood > Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey > KT15 2NX. > > The information contained in this e-mail is confidential. It may also be > privileged. It is intended only for the stated addressee(s) and access to it > by > any other person is unauthorised. If you are not an addressee or the > intended addressee, you must not disclose, copy, circulate or in any other > way use or rely on the information contained in this e-mail. Such > unauthorised use may be unlawful. If you have received this e-mail in error, > please inform us immediately on +44 (0)1223 723600 and delete it and all > copies from your system. Commercial matters detailed or referred to in this > e-mail are subject to a written contract signed for and on behalf of Thales e- > Security Limited. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Openslp-devel mailing list Openslp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openslp-devel
