Информационная безопасность
[RU] switch to English

Дополнительная информация

  DoS против nylon

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:10 октября 2002 г.
Subject:nylon 0.2 (0.3?) DoS

Dear [email protected],

I  found this bug in nylon 0.2, but according to CVS logs it was already
fixed  in  nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks
ago),  http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer


#if defined(SENDN) || defined(RECVN)
#if defined(RECVN)
#elif defined(SENDN)
(int s, void *buf, size_t len, int flags)
       unsigned bytes = 0, bytes_left = len;
       while (bytes_left > 0) {
               if ( (bytes =
                         #if defined(RECVN)
                         #elif defined(SENDN)
                         (s, buf+(len-bytes_left), bytes_left, flags)) != -1 )
                       bytes_left -= bytes;
                       return -1;
       return len;
#endif /* defined(SENDN) || defined(RECVN) */

This  function  fails  to  check  if recv() returns 0. The problem is if
remote  side  closes  connection  during recv(). In this case all recv()
calls  for socket always return 0. Program enters into endless loop with
100%  CPU  usage.  There  is no any kind of timeout. Exploit is trivial.
nylon is in ports collection for FreeBSD and probably other systems.


[1] Nylon 0.2 DoS source code (Unix/Windows)
[2] Different Proxy-related software


О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород