Bug 1251064 (CVE-2015-5177) - CVE-2015-5177 openslp: double free in SLPDProcessMessage()
Summary: CVE-2015-5177 openslp: double free in SLPDProcessMessage()
Status: CLOSED WONTFIX
Alias: CVE-2015-5177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150806,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-06 13:04 UTC by Martin Prpič
Modified: 2019-06-08 20:41 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-06 13:05:12 UTC


Attachments (Terms of Use)
Ustream patch (1.41 KB, patch)
2015-09-03 07:46 UTC, Santiago R.R.
no flags Details | Diff

Description Martin Prpič 2015-08-06 13:04:29 UTC
A double free flaw was found in openslp's SLPDProcessMessage() function. A crafted package could cause openslp to crash.

This flaw only affects version 1.2.1 of openslp, which is only shipped in EPEL 5. Version 2.0.0 is not affected.

OpenSLP is not actively maintained upstream so patches are not available.

Acknowledgements:

Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.

Comment 1 Martin Prpič 2015-08-06 13:05:12 UTC
Additional details from Qinghao Tang:

Let`s see how this issue happened,the code below is from
/openslp-1.2.1/slpd/slpd_process.c and slpd_knownda.c:


int SLPDProcessMessage(struct sockaddr_in* peerinfo,
SLPBuffer recvbuf,
SLPBuffer* sendbuf)
{
...
message = SLPMessageAlloc();
if (message)
{
/* Parse the message and fill out the message descriptor */
errorcode = SLPMessageParseBuffer(peerinfo,recvbuf, message);
if (errorcode == 0)
{
/* Process messages based on type */
switch (message->header.functionid)
{
...
case SLP_FUNCT_DAADVERT:
//call "first free" function
errorcode = ProcessDAAdvert(message,
recvbuf,
sendbuf,
errorcode);
break;
...
}
}
else
{
SLPDLogParseWarning(peerinfo, recvbuf);
}

if (header.functionid == SLP_FUNCT_SRVREG ||
header.functionid == SLP_FUNCT_DAADVERT )
{

if (errorcode == 0)
{
goto FINISHED;
}

//double free
SLPBufferFree(recvbuf);
}
...
}


int ProcessDAAdvert(SLPMessage message,
SLPBuffer recvbuf,
SLPBuffer* sendbuf,
int errorcode)
{
...
{
if (message->body.daadvert.errorcode == SLP_ERROR_OK)
{
//call "first free" function
errorcode = SLPDKnownDAAdd(message,recvbuf);
}
}
...
}


int SLPDKnownDAAdd(SLPMessage msg, SLPBuffer buf)
{

...
CLEANUP:
SLPMessageFree(msg);
//first free
SLPBufferFree(buf);
if (dh) SLPDatabaseClose(dh);

return result;
}

Comment 2 Santiago R.R. 2015-09-03 07:46:52 UTC
Created attachment 1069647 [details]
Ustream patch

Upstream fixed this issue in 2011:
http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/


Note You need to log in before you can comment on or make changes to this bug.