Remote DoS Against `passimd` by Triggering NULL Pointer Dereference
mgerstner opened this issue · comments
Matthias Gerstner commented
When accessing a URL different from the root "/" and without passing any
parameters "?" then a segmentation fault is the result in passim-server.c:759 (null pointer dereference, because there is no request).
Example:
root# curl -v -k 'https://localhost:27500/myfile'
root# journalctl -u passim.service | tail -n 5
Oct 25 12:45:24 mybox passimd[5091]: accepting HTTP/1.1 GET /myfile from ::1:39278 (loopback)
Oct 25 12:45:24 mybox passimd[5091]: g_strsplit: assertion 'string != NULL' failed
Oct 25 12:45:29 mybox systemd[1]: passim.service: Main process exited, code=dumped, status=11/SEGV
Oct 25 12:45:29 mybox systemd[1]: passim.service: Failed with result 'core-dump'.
Richard Hughes commented
I guess it's also worth noting that the "crash on anything looking weird" is 100% deliberate -- i.e. we're doing
Line 1363 in 59c73a8
Matthias Gerstner commented
I verified this fix, now returns HTTP 400 Bad Request.