Bug#436803: openbsd-inetd: denial of service, cpu loop, select returns fd that is not handled

Wed, 08 Aug 2007 22:07:35 -0700 

Package: openbsd-inetd
Version: 0.20050402-6
Severity: normal

inetd can enter a state where select(2) is returning a file descriptor
that is active due to an incoming connection, yet it does not handle the
connection, so causing a CPU loop until it is restarted.

The problem is reproducible by preparing a UDP service and bombarding a
system with UDP packets.  Since one has to actually prepare a UDP
service, the package isn't vulnerable to start with, as far as I can
tell.

/etc/inetd.conf:

9988 dgram udp nowait root /usr/local/bin/9988 9988

/usr/local/bin/9988 is a shell script that performs "echo 'ok'"

strace:

select(12, [4 5 6 7 8 9 10 11], NULL, NULL, NULL) = 1 (in [11])
rt_sigprocmask(SIG_BLOCK, [HUP ALRM CHLD], NULL, 8) = 0
gettimeofday({1186634606, 858530}, NULL) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
select(12, [4 5 6 7 8 9 10 11], NULL, NULL, NULL) = 1 (in [11])

lsof:

COMMAND   PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
inetd   16547 root  cwd    DIR    3,1    4096       2 /
inetd   16547 root  rtd    DIR    3,1    4096       2 /
inetd   16547 root  txt    REG    3,1   29192 1333385 /usr/sbin/inetd
inetd   16547 root  mem    REG    3,1   83712  301649 /lib/libnsl-2.6.so
inetd   16547 root  mem    REG    3,1 1331780  301208 /lib/libc-2.6.so
inetd   16547 root  mem    REG    3,1   31224  294942 /lib/libwrap.so.0.7.6
inetd   16547 root  mem    REG    3,1   38416  301652 /lib/libnss_files-2.6.so
inetd   16547 root  mem    REG    3,1  117336  295672 /lib/ld-2.6.so
inetd   16547 root    0u   CHR    1,3             870 /dev/null
inetd   16547 root    1u   CHR    1,3             870 /dev/null
inetd   16547 root    2u   CHR    1,3             870 /dev/null
inetd   16547 root    4u  IPv4  31852             TCP *:discard (LISTEN)
inetd   16547 root    5u  IPv4  31854             UDP *:discard 
inetd   16547 root    6u  IPv4  31856             TCP *:daytime (LISTEN)
inetd   16547 root    7u  IPv4  31858             TCP *:time (LISTEN)
inetd   16547 root    8u  IPv4  31860             TCP *:distcc (LISTEN)
inetd   16547 root    9u  IPv4  31862             TCP *:tojander (LISTEN)
inetd   16547 root   10u  IPv4  31864             TCP *:9802 (LISTEN)
inetd   16547 root   11u  IPv4  31866             UDP *:9988 

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openbsd-inetd depends on:
ii  libc6                         2.6-2      GNU C Library: Shared libraries
ii  libwrap0                      7.6.dbs-14 Wietse Venema's TCP wrappers libra
ii  lsb-base                      3.1-24     Linux Standard Base 3.1 init scrip
ii  tcpd                          7.6.dbs-14 Wietse Venema's TCP wrapper utilit
ii  update-inetd                  4.27-0.5   inetd.conf updater

openbsd-inetd recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to