nylon 0.2 (0.3?) DoS

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear bugtraq@,

I  found this bug in nylon 0.2, but according to CVS logs it was already
fixed  in  nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks
ago),  http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer
version.

Details:

#if defined(SENDN) || defined(RECVN)
ssize_t
#if defined(RECVN)
recvn
#elif defined(SENDN)
sendn
#endif
(int s, void *buf, size_t len, int flags)
{
        unsigned bytes = 0, bytes_left = len;
        
        while (bytes_left > 0) {
                if ( (bytes =
                          #if defined(RECVN)
                          recv
                          #elif defined(SENDN)
                          send
                          #endif
                          (s, buf+(len-bytes_left), bytes_left, flags)) != -1 )
                        bytes_left -= bytes;
                else
                        return -1;
        }
        return len;
}
#endif /* defined(SENDN) || defined(RECVN) */


This  function  fails  to  check  if recv() returns 0. The problem is if
remote  side  closes  connection  during recv(). In this case all recv()
calls  for socket always return 0. Program enters into endless loop with
100%  CPU  usage.  There  is no any kind of timeout. Exploit is trivial.
nylon is in ports collection for FreeBSD and probably other systems.

References:

[1] Nylon 0.2 DoS source code (Unix/Windows)
    http://www.security.nnov.ru/files/3nylont.c
[2] Different Proxy-related software
    http://www.security.nnov.ru/soft


/ZARAZA
http://www.security.nnov.ru