Bug 1251064 (CVE-2015-5177)

Summary: CVE-2015-5177 openslp: double free in SLPDProcessMessage()
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, rdieter, santiagorr, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20150806,reported=20150730,source=researcher,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,rhel-6/openslp=notaffected,rhel-7/openslp=notaffected,epel-5/openslp=affected,fedora-all/openslp=notaffected,cwe=CWE-416
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-06 13:05:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Ustream patch none

Description Martin Prpič 2015-08-06 13:04:29 UTC
A double free flaw was found in openslp's SLPDProcessMessage() function. A crafted package could cause openslp to crash.

This flaw only affects version 1.2.1 of openslp, which is only shipped in EPEL 5. Version 2.0.0 is not affected.

OpenSLP is not actively maintained upstream so patches are not available.

Acknowledgements:

Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.

Comment 1 Martin Prpič 2015-08-06 13:05:12 UTC
Additional details from Qinghao Tang:

Let`s see how this issue happened,the code below is from
/openslp-1.2.1/slpd/slpd_process.c and slpd_knownda.c:


int SLPDProcessMessage(struct sockaddr_in* peerinfo,
SLPBuffer recvbuf,
SLPBuffer* sendbuf)
{
...
message = SLPMessageAlloc();
if (message)
{
/* Parse the message and fill out the message descriptor */
errorcode = SLPMessageParseBuffer(peerinfo,recvbuf, message);
if (errorcode == 0)
{
/* Process messages based on type */
switch (message->header.functionid)
{
...
case SLP_FUNCT_DAADVERT:
//call "first free" function
errorcode = ProcessDAAdvert(message,
recvbuf,
sendbuf,
errorcode);
break;
...
}
}
else
{
SLPDLogParseWarning(peerinfo, recvbuf);
}

if (header.functionid == SLP_FUNCT_SRVREG ||
header.functionid == SLP_FUNCT_DAADVERT )
{

if (errorcode == 0)
{
goto FINISHED;
}

//double free
SLPBufferFree(recvbuf);
}
...
}


int ProcessDAAdvert(SLPMessage message,
SLPBuffer recvbuf,
SLPBuffer* sendbuf,
int errorcode)
{
...
{
if (message->body.daadvert.errorcode == SLP_ERROR_OK)
{
//call "first free" function
errorcode = SLPDKnownDAAdd(message,recvbuf);
}
}
...
}


int SLPDKnownDAAdd(SLPMessage msg, SLPBuffer buf)
{

...
CLEANUP:
SLPMessageFree(msg);
//first free
SLPBufferFree(buf);
if (dh) SLPDatabaseClose(dh);

return result;
}

Comment 2 Santiago R.R. 2015-09-03 07:46:52 UTC
Created attachment 1069647 [details]
Ustream patch

Upstream fixed this issue in 2011:
http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/