Bug#972651: buster-pu: package fastd/18-3+deb10u1

2020-10-25 Thread Sven Eckelmann 
On Saturday, 24 October 2020 20:37:36 CET Adam D. Barratt wrote:
> Please go ahead.

Thanks, uploaded [1] with appended CVE in the changelog.

Kind regards,
Sven

[1] 
https://release.debian.org/proposed-updates/buster_diffs/fastd_18-3+deb10u1.debdiff

signature.asc
Description: This is a digitally signed message part.

Bug#972651: buster-pu: package fastd/18-3+deb10u1

2020-10-24 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2020-10-21 at 22:34 +0200, Sven Eckelmann wrote:
> The new packet buffer code (and checks) in v20 revealed a long
> standing issue  in fastd: A buffer with an invalid packet will just
> leak.
> 
> This results in an assert with v20 and memory exhaustion in earlier
> versions.  While v21 (already in unstable) fixed it, the memory
> exhaustion is still a  problem for stable and oldstable.

Please go ahead.

Regards,

Adam

Bug#972651: buster-pu: package fastd/18-3+deb10u1

2020-10-21 Thread Sven Eckelmann 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
The new packet buffer code (and checks) in v20 revealed a long standing issue 
in fastd: A buffer with an invalid packet will just leak.

This results in an assert with v20 and memory exhaustion in earlier versions. 
While v21 (already in unstable) fixed it, the memory exhaustion is still a 
problem for stable and oldstable.

[ Impact ]
The problem can be used to DoS a system. Only some handcrafted (invalid) 
UDP packets have to be send to a server.

[ Tests ]
Tested on a server with an attacker which injects invalid packets on the 
relevant UDP port. v20 "crashed" after a couple of packets. v18 (currently in 
[old]stable) required a couple of minutes to exhaust all memory of the system.

Invalid packets can for example easily created using:

iperf -u -c target.server.example.net -p 1 -t 3000 -b 40M

The problem went completely away after v21 was installed or the proposed 
upload from this ticket was installed.

The stability test of the fixed version is ongoing.

[ Risks ]
None known at the moment

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Other info ]
See http://bugs.debian.org/972521 for the unstable bug.

I have not yet uploaded the change to stable but will do this after I get an 
approval for the attached change.

Kind regards,
Svendiff -Nru fastd-18/debian/changelog fastd-18/debian/changelog
--- fastd-18/debian/changelog	2018-01-08 20:48:21.0 +0100
+++ fastd-18/debian/changelog	2020-10-19 22:38:02.0 +0200
@@ -1,3 +1,12 @@
+fastd (18-3+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+- Add 0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch,
+  Fix DoS'able memory leak when receiving too many invalid packets
+  (Closes: #972521)
+
+ -- Sven Eckelmann   Mon, 19 Oct 2020 22:38:02 +0200
+
 fastd (18-3) unstable; urgency=medium
 
   * Update to new Debian policy and fix lintian problems.
diff -Nru fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch
--- fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch	1970-01-01 01:00:00.0 +0100
+++ fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch	2020-10-19 22:38:02.0 +0200
@@ -0,0 +1,43 @@
+From: Matthias Schiffer 
+Date: Mon, 19 Oct 2020 21:08:16 +0200
+Subject: receive: fix buffer leak when receiving invalid packets
+
+For fastd versions before v20, this was just a memory leak (which could
+still be used for DoS, as it's remotely triggerable). With the new
+buffer management of fastd v20, this will trigger an assertion failure
+instead as soon as the buffer pool is empty.
+
+Origin: upstream, https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea
+Bug-Debian: https://bugs.debian.org/972521
+---
+ src/receive.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/receive.c b/src/receive.c
+index 732d4a7..a3ecfe3 100644
+--- a/src/receive.c
 b/src/receive.c
+@@ -186,6 +186,11 @@ static inline void handle_socket_receive_known(fastd_socket_t *sock, const fastd
+ 
+ 	case PACKET_HANDSHAKE:
+ 		fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
++		break;
++
++	default:
++		fastd_buffer_free(buffer);
++		pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
+ 	}
+ }
+ 
+@@ -211,6 +216,11 @@ static inline void handle_socket_receive_unknown(fastd_socket_t *sock, const fas
+ 
+ 	case PACKET_HANDSHAKE:
+ 		fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
++		break;
++
++	default:
++		fastd_buffer_free(buffer);
++		pr_debug("received packet with invalid type from unknown address %I", remote_addr);
+ 	}
+ }
+ 
diff -Nru fastd-18/debian/patches/series fastd-18/debian/patches/series
--- fastd-18/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ fastd-18/debian/patches/series	2020-10-19 22:38:02.0 +0200
@@ -0,0 +1 @@
+0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch


signature.asc
Description: This is a digitally signed message part.