oss-sec mailing list archives
Re: Re: CVE Request: null pointer deref in openslp, can be triggered remotely
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 19 May 2016 12:17:11 +0530
On 05/18/2016 09:55 PM, cve-assign () mitre org wrote:
The oss-security message and the rhbz document seem to describe the impact in different ways, i.e., "Basically return value from malloc isn't checked ... This can be triggered remotely by sending a large number of requests, which could possibly lead malloc to fail at one point, causing crash via null pointer deref" versus "A remote attacker could potentially deplete the memory of the server." For purposes of CVE, this type of scenario is often not interpreted as two independent problems. Roughly speaking, it is interpreted as "The unchecked malloc return value is the primary problem. This problem becomes reachable for reasons that aren't fully described, but those reasons might involve a design limitation in which the memory consumption of requests is not strictly controlled."
I fixed the description in the bug. The problem basically is unchecked return value from malloc inside the realloc function. So when "crafted" packets are sent to the server, realloc is triggered to extend the size of the data structure which holds the network data. Under memory pressure malloc could fail, which will trigger a null pointer deref.
Finally, although perhaps not related to the issue of whether a CVE ID should exist, that Security.html page says "If you find a security hole in OpenSLP, please bring it to the attention of the OpenSLP maintainer" and names John Calcote. Possibly Red Hat could do this upstream notification if that hasn't already happened.
Yes, we will inform upstream -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- CVE Request: null pointer deref in openslp, can be triggered remotely Huzaifa Sidhpurwala (May 17)
- Re: CVE Request: null pointer deref in openslp, can be triggered remotely cve-assign (May 18)
- Re: Re: CVE Request: null pointer deref in openslp, can be triggered remotely Huzaifa Sidhpurwala (May 18)
- Re: CVE Request: null pointer deref in openslp, can be triggered remotely cve-assign (May 18)