From 4851695cf70c307984b890a157551c5f9b1e7925 Mon Sep 17 00:00:00 2001 From: wpaul Date: Fri, 15 May 1998 22:57:31 +0000 Subject: Patch RPC library to avoid possible denial of service attacks as described recently in BUGTRAQ. The set_input_fragment() routine in the XDR record marking code blindly trusts that the first two bytes it sees will in fact be an actual record header and that the specified size will be sane. In fact, if you just telnet to a listening port of an RPC service and send a few carriage returns, set_input_fragment() will obtain a ridiculously large record size and sit there for a long time trying to read from the network. A sanity test is required: if the record size is larger than the receive buffer, punt. --- lib/libc/xdr/xdr_rec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/libc/xdr/xdr_rec.c b/lib/libc/xdr/xdr_rec.c index f54172b..2919e28 100644 --- a/lib/libc/xdr/xdr_rec.c +++ b/lib/libc/xdr/xdr_rec.c @@ -29,7 +29,7 @@ #if defined(LIBC_SCCS) && !defined(lint) /*static char *sccsid = "from: @(#)xdr_rec.c 1.21 87/08/11 Copyr 1984 Sun Micro";*/ /*static char *sccsid = "from: @(#)xdr_rec.c 2.2 88/08/01 4.0 RPCSRC";*/ -static char *rcsid = "$Id: xdr_rec.c,v 1.5 1996/12/30 14:07:10 peter Exp $"; +static char *rcsid = "$Id: xdr_rec.c,v 1.8 1997/05/28 04:57:38 wpaul Exp $"; #endif /* @@ -550,6 +550,12 @@ set_input_fragment(rstrm) return (FALSE); header = (long)ntohl(header); rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE; + /* + * Sanity check. Try not to accept wildly incorrect + * record sizes. + */ + if ((header & (~LAST_FRAG)) > rstrm->recvsize) + return(FALSE); rstrm->fbtbc = header & (~LAST_FRAG); return (TRUE); } -- cgit v1.1