* DOS bug in 1.0.5 mountd DNS code [ard@kwaak.net: rpc.mountd SEGVs (found the bug)]
@ 2003-09-09 15:29 Chip Salzenberg
0 siblings, 0 replies; only message in thread
From: Chip Salzenberg @ 2003-09-09 15:29 UTC (permalink / raw)
To: nfs
Looks like mountd crashes when the client has no forward DNS to match
its reverse DNS. I'll patch it.
This bug probably qualifies as important enough to release 1.0.6,
since it's a potential DOS. After all, a client may deliberately
access a server *because* that client has no matching DNS, causing
a server crash.
I don't know if this bug has anything to do with the crashes that are
fixed by the pthread.so LD_PRELOAD, but Ard's machine *is* SMP....
----- Forwarded message from Ard van Breemen <ard@kwaak.net> -----
Subject: Bug#209318: rpc.mountd SEGVs (found the bug)
From: Ard van Breemen <ard@kwaak.net>
To: 209318@bugs.debian.org
Date: Tue, 9 Sep 2003 15:56:01 +0200
Some more info:
Before the crashing started:
Sep 9 09:30:26 upa001 rpc.mountd: Fake hostname capio-6d099b.ws.alkmaar.upa.nl for 192.168.1.252 - forward lookup doesn't match reverse
Sep 9 09:30:26 upa001 rpc.mountd: authenticated mount request from 192.168.1.252:635 for /var/lib/diskless/scratch/192.168.1.252 (/var/lib/diskless/scratch/192.168.1.252
Sep 9 09:30:26 upa001 rpc.mountd: Fake hostname capio-6d099b.ws.alkmaar.upa.nl for 192.168.1.252 - forward lookup doesn't match reverse
Sep 9 09:30:26 upa001 rpc.mountd: authenticated mount request from 192.168.1.252:648 for /var/lib/diskless/scratch/192.168.1.252/swap (/var/lib/diskless/scratch/192.168.
Sep 9 09:30:27 upa001 rpc.mountd: Fake hostname capio-6d099b.ws.alkmaar.upa.nl for 192.168.1.252 - forward lookup doesn't match reverse
Sep 9 09:30:27 upa001 rpc.mountd: authenticated mount request from 192.168.1.252:651 for /var/lib/opnames (/var/lib/opnames)
That was correct. capio-6d099b.ws.alkmaar.upa.nl was pointing to something
different then 192.168.1.252. The reversed was correct. I then deleted the
capio-6d099b.ws.alkmaar.upa.nl entries from the dns (using nsupdate), and
then rebooted the client. No new dns entries were made. The client tried to
mount something at a time where the reversed existed, but the forward
didn't.
Hmmm, ok, found it:
nfs-utils-1.0.5/support/export/hostname.c
get_reliable_hostbyaddr(const char *addr, int len, int type)
{
<snip>
if (tmpname) {
forward = gethostbyname(tmpname);
free(tmpname);
}
if (forward) {
<snip>
}
else {
/* never heard of it. misconfigured DNS? */
xlog(L_WARNING, "Fake hostname %s for %s - forward lookup
doesn't exist",
forward->h_name, inet_ntoa(*(struct in_addr*)addr));
return NULL;
}
So, what we see here is that it tries to print the Fake hostname using
forward->h_name, and forward==NULL.
--
mail up 21+16:44, 11 users, load 0.01, 0.05, 0.10
Let your government know you value your freedom: sign the petition:
http://petition.eurolinux.org
----- End forwarded message -----
--
Chip Salzenberg - a.k.a. - <chip@pobox.com>
"I wanted to play hopscotch with the impenetrable mystery of existence,
but he stepped in a wormhole and had to go in early." // MST3K
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-09-09 15:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-09 15:29 DOS bug in 1.0.5 mountd DNS code [ard@kwaak.net: rpc.mountd SEGVs (found the bug)] Chip Salzenberg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.