atftpd crash - denial of service
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
atftp (Debian) |
Fix Released
|
Undecided
|
Unassigned | ||
atftp (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: atftpd
Description: Ubuntu 8.04.1
Release: 8.04
Architecture: i386
Source: atftp
Version: 0.7.dfsg-3
Atftpd crash with signal 11. I can force atftpd to crash during a tftp session by sending it a malformed tftp error packet. Client ask for a file - atftpd sent first block of data - client send a malformed tftp error packet only consisting of the error opcode and the errno - but without the required error string. Hereafter atftpd crash with signal 11.
Atftpd use a customized version of Strncpy there ensure the copied string is null terminated. The implementation did not take into account that the string size could be zero.
I have attached a patch which solve the problem. I have also a small perl script there create the malformed tftp session.
Regards,
Jakob Hilmer - <email address hidden>
Related branches
Changed in atftp: | |
status: | Unknown → New |
Attached perl script there create the malformed tftp session.