atftpd crash - denial of service
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| atftp (Debian) |
Fix Released
|
Undecided
|
Unassigned | ||
| atftp (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
Binary package hint: atftpd
Description: Ubuntu 8.04.1
Release: 8.04
Architecture: i386
Source: atftp
Version: 0.7.dfsg-3
Atftpd crash with signal 11. I can force atftpd to crash during a tftp session by sending it a malformed tftp error packet. Client ask for a file - atftpd sent first block of data - client send a malformed tftp error packet only consisting of the error opcode and the errno - but without the required error string. Hereafter atftpd crash with signal 11.
Atftpd use a customized version of Strncpy there ensure the copied string is null terminated. The implementation did not take into account that the string size could be zero.
I have attached a patch which solve the problem. I have also a small perl script there create the malformed tftp session.
Regards,
Jakob Hilmer - <email address hidden>
Related branches
| Jakob Hilmer (jakob-hilmer) wrote | #1 |
| Jakob Hilmer (jakob-hilmer) wrote | #2 |
| Changed in atftp: | |
| status: | Unknown → New |
| Mackenzie Morgan (maco.m) wrote | #3 |
| Changed in atftp (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Iain Lane (laney) wrote | #4 |
| Changed in atftp (Ubuntu): | |
| status: | Triaged → Fix Committed |
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in atftp: | |
| status: | Fix Committed → Fix Released |
| Artur Rona (ari-tczew) wrote | #6 |
| Changed in atftp (Debian): | |
| importance: | Unknown → Undecided |
| status: | New → Fix Released |
Attached perl script there create the malformed tftp session.