| Summary: | monkeyd local DoS | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | rob holland (RETIRED) <tigger> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Putting a zero byte file in htdocs somewhere and then requesting it repeatedly will cause monkeyd to corrupt memory/blow up depending on MALLOC_CHECK_ Dodgy code is: void M_free(void *ptr) { if(ptr!=NULL){ memset(ptr, '\0', sizeof(ptr)); free(ptr); ptr=NULL; } } The memset doesn't do what was intended. This isn't normally visible but the 0 byte file causes monkeyd to malloc(0) which means there is no data allocated to "absorb" the broken memset call. The ptr=NULL thing is also just plain weird :) Problem was spotted by ciaranm and investigated by me. The code is pretty scary, taviso is checking it over some more atm so hold fire on any glsa etc ;)