Bug 1251064 - (CVE-2015-5177) CVE-2015-5177 openslp: double free in SLPDProcessMessage()
CVE-2015-5177 openslp: double free in SLPDProcessMessage()
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150806,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-06 09:04 EDT by Martin Prpič
Modified: 2016-01-22 08:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-06 09:05:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Ustream patch (1.41 KB, patch)
2015-09-03 03:46 EDT, Santiago R.R.
no flags Details | Diff

  None (edit)
Description Martin Prpič 2015-08-06 09:04:29 EDT
A double free flaw was found in openslp's SLPDProcessMessage() function. A crafted package could cause openslp to crash.

This flaw only affects version 1.2.1 of openslp, which is only shipped in EPEL 5. Version 2.0.0 is not affected.

OpenSLP is not actively maintained upstream so patches are not available.

Acknowledgements:

Red Hat would like to thank Qinghao Tang of QIHU 360 for reporting this issue.
Comment 1 Martin Prpič 2015-08-06 09:05:12 EDT
Additional details from Qinghao Tang:

Let`s see how this issue happened,the code below is from
/openslp-1.2.1/slpd/slpd_process.c and slpd_knownda.c:


int SLPDProcessMessage(struct sockaddr_in* peerinfo,
SLPBuffer recvbuf,
SLPBuffer* sendbuf)
{
...
message = SLPMessageAlloc();
if (message)
{
/* Parse the message and fill out the message descriptor */
errorcode = SLPMessageParseBuffer(peerinfo,recvbuf, message);
if (errorcode == 0)
{
/* Process messages based on type */
switch (message->header.functionid)
{
...
case SLP_FUNCT_DAADVERT:
//call "first free" function
errorcode = ProcessDAAdvert(message,
recvbuf,
sendbuf,
errorcode);
break;
...
}
}
else
{
SLPDLogParseWarning(peerinfo, recvbuf);
}

if (header.functionid == SLP_FUNCT_SRVREG ||
header.functionid == SLP_FUNCT_DAADVERT )
{

if (errorcode == 0)
{
goto FINISHED;
}

//double free
SLPBufferFree(recvbuf);
}
...
}


int ProcessDAAdvert(SLPMessage message,
SLPBuffer recvbuf,
SLPBuffer* sendbuf,
int errorcode)
{
...
{
if (message->body.daadvert.errorcode == SLP_ERROR_OK)
{
//call "first free" function
errorcode = SLPDKnownDAAdd(message,recvbuf);
}
}
...
}


int SLPDKnownDAAdd(SLPMessage msg, SLPBuffer buf)
{

...
CLEANUP:
SLPMessageFree(msg);
//first free
SLPBufferFree(buf);
if (dh) SLPDatabaseClose(dh);

return result;
}
Comment 2 Santiago R.R. 2015-09-03 03:46:52 EDT
Created attachment 1069647 [details]
Ustream patch

Upstream fixed this issue in 2011:
http://sourceforge.net/p/openslp/mercurial/ci/2bc15d0494f886d9c4fe342d23bc160605aea51d/

Note You need to log in before you can comment on or make changes to this bug.