Possible DoS in whois (1.31), caused by memory exhaustion
Tito
farmatito at tiscali.it
Mon Dec 2 21:19:55 UTC 2019
On 12/2/19 9:50 PM, Erez Turjeman wrote:
> I don't think that the RFC itself defines the any constraints on response length or maximum count of iterations between client and server. However, the implementation provided in Debian (https://git.launchpad.net/ubuntu/+source/whois/tree/whois.c#n780), assumes the each response from server should be treated as a complete entry (i.e. not fragmented) and thus avoids using realloc.
> Regards,
> Erez
>
> On Mon, Dec 2, 2019 at 2:59 PM Tito <farmatito at tiscali.it <mailto:farmatito at tiscali.it>> wrote:
>
> On 12/2/19 4:54 PM, Erez Turjeman wrote:
> > The implementation of `whois` in busybox 1.31 calls xrealloc without limiting the size argument, which can lead to a memory exhaustion, https://git.busybox.net/busybox/tree/networking/whois.c?h=1_31_stable#n63. A rogue server can simply reply with an endless response until crashing the client.
> > Regards,
> > Erez
> > --
> > Erez Turjeman
> > erezto at gmail.com <mailto:erezto at gmail.com> <mailto:erezto at gmail.com <mailto:erezto at gmail.com>>
> >
>
> Hi,
> shouldn't the app simply exit if memory is exhausted and thus free the memory again?
>
> Is there any maximum size for the server reply or do you think an arbitrary
> maximum value should be hardcoded?
>
> // Die if we can't resize previously allocated memory. (This returns a pointer
> // to the new memory, which may or may not be the same as the old memory.
> // It'll copy the contents to a new chunk and free the old one if necessary.)
> void* FAST_FUNC xrealloc(void *ptr, size_t size)
> {
> ptr = realloc(ptr, size);
> if (ptr == NULL && size != 0)
> bb_die_memory_exhausted();
> return ptr;
> }
>
> Ciao,
> Tito
>
>
>
Hi,
seems to me they use a hardcoded max size of 2000.
char *do_query(const int sock, const char *query)
{
char *temp, *p, buf[2000];
Ciao,
Tito
P.S: please don't top post because it makes threads hard to read.
More information about the busybox
mailing list