A double free flaw was found in openslp's SLPDProcessMessage() function. A crafted package could cause openslp to crash. This flaw only affects version 1.2.1 of openslp, which is only shipped in EPEL 5. Version 2.0.0 is not affected. OpenSLP is not actively maintained upstream so patches are not available. Acknowledgements: Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.
Additional details from Qinghao Tang: Let`s see how this issue happened,the code below is from /openslp-1.2.1/slpd/slpd_process.c and slpd_knownda.c: int SLPDProcessMessage(struct sockaddr_in* peerinfo, SLPBuffer recvbuf, SLPBuffer* sendbuf) { ... message = SLPMessageAlloc(); if (message) { /* Parse the message and fill out the message descriptor */ errorcode = SLPMessageParseBuffer(peerinfo,recvbuf, message); if (errorcode == 0) { /* Process messages based on type */ switch (message->header.functionid) { ... case SLP_FUNCT_DAADVERT: //call "first free" function errorcode = ProcessDAAdvert(message, recvbuf, sendbuf, errorcode); break; ... } } else { SLPDLogParseWarning(peerinfo, recvbuf); } if (header.functionid == SLP_FUNCT_SRVREG || header.functionid == SLP_FUNCT_DAADVERT ) { if (errorcode == 0) { goto FINISHED; } //double free SLPBufferFree(recvbuf); } ... } int ProcessDAAdvert(SLPMessage message, SLPBuffer recvbuf, SLPBuffer* sendbuf, int errorcode) { ... { if (message->body.daadvert.errorcode == SLP_ERROR_OK) { //call "first free" function errorcode = SLPDKnownDAAdd(message,recvbuf); } } ... } int SLPDKnownDAAdd(SLPMessage msg, SLPBuffer buf) { ... CLEANUP: SLPMessageFree(msg); //first free SLPBufferFree(buf); if (dh) SLPDatabaseClose(dh); return result; }
Created attachment 1069647 [details] Ustream patch Upstream fixed this issue in 2011: http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/