Subject: bin/13450: rpcbind segmentation fault (perhaps remote DoS)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <abb@numeca.be>
List: netbsd-bugs
Date: 07/12/2001 12:21:24
>Number: 13450
>Category: bin
>Synopsis: rpcbind crashes by request from client from non-local ip-network
>Confidential: yes
>Severity: critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 12 03:19:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Alexandre Bezroutchko
>Release: NetBSD-1.5 <NetBSD-current source date>
>Organization:
NUMECA International
>Environment:
System: NetBSD nis.numeca.be 1.5 NetBSD 1.5 (GENERIC) #1: Sun Nov 19 21:42:11 MET 2000 fvdl@sushi:/work/trees/netbsd-1-5/sys/arch/i386/compile/GENERIC i386
NIS client: SunOS fermat 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-5_10
>Description:
I have standard NetBSD-1.5 installation with rpcbind & ypserv enabled.
Rpcbind gets segmentation fault when accessed from Solaris 2.6 (Sparc) client.
Client and server computer are on different IP networks (sharing same ethernet segment).
I think the bug is critical because can be used for DoS attack.
>How-To-Repeat:
On NetBSD launch 'rpcbind -d' and 'ypserf -f -l'.
On Solaris run 'rpcinfo -p nis' or 'ypwhich' and see rpcbind crashed.
>Fix:
Workaround is put both computers on the same network.
The problem is rpcbind does not initialize 'tbuf' structure (util.c:117)
if interface is not found in loop at lines 162-244. The structure is used
anyway at line 269.
>Release-Note:
>Audit-Trail:
>Unformatted: