nylon 0.2 (0.3?) DoS

2002-10-10T00:00:00
ID SECURITYVULNS:DOC:3612
Type securityvulns
Reporter Securityvulns
Modified 2002-10-10T00:00:00

Description

Dear bugtraq@,

I found this bug in nylon 0.2, but according to CVS logs it was already fixed in nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks ago), http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer version.

Details:

if defined(SENDN) || defined(RECVN)

ssize_t

if defined(RECVN)

recvn

elif defined(SENDN)

sendn

endif

(int s, void *buf, size_t len, int flags) { unsigned bytes = 0, bytes_left = len;

    while (bytes_left > 0) {
            if ( (bytes =
                      #if defined(RECVN)
                      recv
                      #elif defined(SENDN)
                      send
                      #endif
                      (s, buf+(len-bytes_left), bytes_left, flags)) != -1 )
                    bytes_left -= bytes;
            else
                    return -1;
    }
    return len;

}

endif / defined(SENDN) || defined(RECVN) /

This function fails to check if recv() returns 0. The problem is if remote side closes connection during recv(). In this case all recv() calls for socket always return 0. Program enters into endless loop with 100% CPU usage. There is no any kind of timeout. Exploit is trivial. nylon is in ports collection for FreeBSD and probably other systems.

References:

[1] Nylon 0.2 DoS source code (Unix/Windows) http://www.security.nnov.ru/files/3nylont.c [2] Different Proxy-related software http://www.security.nnov.ru/soft

/ZARAZA