Re: [Nagios-devel] (Fwd) Denial of Service Vulnerability in Nagios
Posted: Mon Jul 21, 2003 7:55 pm
--=-vDyUfUnFJ9dZ7STtngXb
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Mon, 2003-07-21 at 20:35, Karl DeBisschop wrote:
> On Mon, 2003-07-21 at 18:54, Ethan Galstad wrote:
>
> > Anyone have any thoughts or comments on this?
>
> I may see it.
>
> Line 589 starts a loop listening for a connection. If there is an error
> on the connection, you jump out to line 597
>
> I think the repeated SYNs might be seen as an error - maybe
> ECONNABORTED.
>
> If so, you return on line 605, for my quick lok return to the main
> routine. That return would close NRPE.
I have tried to reproduce the DOS with nrpe from CVS compiled on Linux
(using namp to create the SYN connections). Unfortunately, that
combination does not produce the bug.
Can anyone else reporduce the bug?
That issue notwithstanding, I have looked more at the code, and I do
feel the above analysis is a problem, even if it is not the problem at
hand. IMHO, wait_for_connections() just ought not return until after the
fork. A possible patch is attached.
--
Karl
--=-vDyUfUnFJ9dZ7STtngXb
Content-Disposition: attachment; filename=nrpe.patch
Content-Type: text/x-patch; name=nrpe.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Index: src/nrpe.c
===================================================================
RCS file: /cvsroot/nagios/nrpe/src/nrpe.c,v
retrieving revision 1.26
diff -U2 -r1.26 nrpe.c
--- src/nrpe.c 14 Jun 2003 01:29:28 -0000 1.26
+++ src/nrpe.c 22 Jul 2003 03:53:49 -0000
@@ -594,16 +594,4 @@
}
- /* hey, there was an error... */
- if(new_sd<0){
-
- /* log error to syslog facility */
- syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
-
- /* close socket prioer to exiting */
- close(sock);
-
- return;
- }
-
/* child process should handle the connection */
pid=fork();
@@ -613,4 +601,16 @@
pid=fork();
if(pid==0){
+
+ /* hey, there was an error... */
+ if(new_sd<0){
+
+ /* log error to syslog facility */
+ syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
+
+ /* close socket prioer to exiting */
+ close(sock);
+
+ return;
+ }
/* grandchild does not need to listen for connections, so close the socket */
--=-vDyUfUnFJ9dZ7STtngXb--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Mon, 2003-07-21 at 20:35, Karl DeBisschop wrote:
> On Mon, 2003-07-21 at 18:54, Ethan Galstad wrote:
>
> > Anyone have any thoughts or comments on this?
>
> I may see it.
>
> Line 589 starts a loop listening for a connection. If there is an error
> on the connection, you jump out to line 597
>
> I think the repeated SYNs might be seen as an error - maybe
> ECONNABORTED.
>
> If so, you return on line 605, for my quick lok return to the main
> routine. That return would close NRPE.
I have tried to reproduce the DOS with nrpe from CVS compiled on Linux
(using namp to create the SYN connections). Unfortunately, that
combination does not produce the bug.
Can anyone else reporduce the bug?
That issue notwithstanding, I have looked more at the code, and I do
feel the above analysis is a problem, even if it is not the problem at
hand. IMHO, wait_for_connections() just ought not return until after the
fork. A possible patch is attached.
--
Karl
--=-vDyUfUnFJ9dZ7STtngXb
Content-Disposition: attachment; filename=nrpe.patch
Content-Type: text/x-patch; name=nrpe.patch; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Index: src/nrpe.c
===================================================================
RCS file: /cvsroot/nagios/nrpe/src/nrpe.c,v
retrieving revision 1.26
diff -U2 -r1.26 nrpe.c
--- src/nrpe.c 14 Jun 2003 01:29:28 -0000 1.26
+++ src/nrpe.c 22 Jul 2003 03:53:49 -0000
@@ -594,16 +594,4 @@
}
- /* hey, there was an error... */
- if(new_sd<0){
-
- /* log error to syslog facility */
- syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
-
- /* close socket prioer to exiting */
- close(sock);
-
- return;
- }
-
/* child process should handle the connection */
pid=fork();
@@ -613,4 +601,16 @@
pid=fork();
if(pid==0){
+
+ /* hey, there was an error... */
+ if(new_sd<0){
+
+ /* log error to syslog facility */
+ syslog(LOG_ERR,"Network server accept failure (%d: %s)",errno,strerror(errno));
+
+ /* close socket prioer to exiting */
+ close(sock);
+
+ return;
+ }
/* grandchild does not need to listen for connections, so close the socket */
--=-vDyUfUnFJ9dZ7STtngXb--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]