TUCoPS :: Linux :: Apps A-M :: bt1647.txt

Ganglia DoS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Center for High Performance Computing at UNM / Dopesquad
                        Security Advisory

Wed Nov  5 13:10:35 MST 2003

Discovery made by: James E. Prewett (download@hpc.unm.edu)
Product: Ganglia
Versions: 2.5.3 tested

There is an error in Ganglia's gmond such that specially crafted packets
will crash the service.

To reproduce this error, a packet must be sent advertising a user-defined
metric that has a name string of length 1.  This packet cannot be sent
from the standar d client utility that encodes a single character name
string as being 2 bytes (o ne for the name character, one for the 0x00
byte).  The hashval function (from lib/hash.c) returns the value of the
first character as the index into the hash array.  If the value of this
character is larger than the hash array, then an invalid pointer will be
used to lock the entry and gmond will segfault.

Here is where the error is at (in hash.c in the hashval function):

   hash_val = ((unsigned char *)key->data)[0];
   for ( i = 1; i < key->size ; i++ )
      hash_val = ( hash_val * 32 + ((unsigned char *)key->data)[i]) % 
hash->size
;


So, when the length of the key is 1, the modulus is never performed, so
hash_val is the value of the first character in the key.


- -- 
James Prewett
Systems Team Leader			Designated Security Officer
HPC Systems Engineer III @ HPC@UNM -- download@hpc.unm.edu Jim@Prewett.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/qr4hv/zdxjGBbZMRAsPnAJ9jqCJ5nBW7x12oJ9i/S02mDz+JPACfQh68
3QuKhfbAJ167pWmm5z0REnE=
=1Yw9
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH