Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 87917

Summary: monkeyd local DoS
Product: Gentoo Security Reporter: rob holland (RETIRED) <tigger>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---

Description rob holland (RETIRED) gentoo-dev 2005-04-04 08:26:23 UTC
Putting a zero byte file in htdocs somewhere and then requesting it repeatedly will cause monkeyd to corrupt memory/blow up depending on MALLOC_CHECK_

Dodgy code is:

void M_free(void *ptr)
        memset(ptr, '\0', sizeof(ptr));

The memset doesn't do what was intended. This isn't normally visible but the 0 byte file causes monkeyd to malloc(0) which means there is no data allocated to "absorb" the broken memset call. The ptr=NULL thing is also just plain weird :)

Problem was spotted by ciaranm and investigated by me.

The code is pretty scary, taviso is checking it over some more atm so hold fire on any glsa etc ;)
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-04-04 08:33:24 UTC

*** This bug has been marked as a duplicate of 87916 ***