Giters

hughsie / passim

A local caching server

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remote DoS Against `passimd` by Triggering NULL Pointer Dereference

mgerstner opened this issue · comments

commented

When accessing a URL different from the root "/" and without passing any
parameters "?" then a segmentation fault is the result in passim-server.c:759 (null pointer dereference, because there is no request).

Example:

root# curl -v -k 'https://localhost:27500/myfile'
root# journalctl -u passim.service | tail -n 5
Oct 25 12:45:24 mybox passimd[5091]: accepting HTTP/1.1 GET /myfile  from ::1:39278 (loopback)
Oct 25 12:45:24 mybox passimd[5091]: g_strsplit: assertion 'string != NULL' failed
Oct 25 12:45:29 mybox systemd[1]: passim.service: Main process exited, code=dumped, status=11/SEGV
Oct 25 12:45:29 mybox systemd[1]: passim.service: Failed with result 'core-dump'.
commented

I guess it's also worth noting that the "crash on anything looking weird" is 100% deliberate -- i.e. we're doing

passim/src/passim-server.c

Line 1363 in 59c73a8

(void)g_setenv("G_DEBUG", "fatal-criticals", FALSE);
so that any critical warning causes an instant "crash" -- on the logic a dead daemon is better than a buffer overwrite or underflow. I'll fix this now, thanks.

commented

I verified this fix, now returns HTTP 400 Bad Request.