IssueDescription: A denial of service flaw was found in the way the __socket_proto_state_machine() function of glusterfs processed certain fragment headers. A remote attacker could send a specially crafted fragment header that, when processed, would cause the glusterfs process to enter an infinite loop.
Initial Report: https://bugzilla.redhat.com/show_bug.cgi?id=1136712
Acknowledgements: Red Hat would like to thank qinghao tang of Qihoo 360 Technology for reporting this issue.
Statement: Red Hat Storage 2.1 receives only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Support Matrix: https://access.redhat.com/support/policy/updates/rhs
Hi, (In reply to Wade Mealing from comment #0) > A denial of service flaw was found in the way the > __socket_proto_state_machine() function of glusterfs processed certain > fragment headers. A remote attacker could send a specially crafted fragment > header that, when processed, would cause the glusterfs process to enter an > infinite loop. I'm interested in checking the status if glusterfs in Debian is affected as well. The original report seems to be restricted, is there information/patches/affected versions which you are can share about the issue? Many thanks in advance for any pointer, Regards, Salvatore
(In reply to Salvatore Bonaccorso from comment #7) > Hi, > > (In reply to Wade Mealing from comment #0) > > A denial of service flaw was found in the way the > > __socket_proto_state_machine() function of glusterfs processed certain > > fragment headers. A remote attacker could send a specially crafted fragment > > header that, when processed, would cause the glusterfs process to enter an > > infinite loop. > > I'm interested in checking the status if glusterfs in Debian is affected as > well. The original report seems to be restricted, is there > information/patches/affected versions which you are can share about the > issue? > > Many thanks in advance for any pointer, > > Regards, > Salvatore Hi! Upstream patch that, among other things, fixes this issue: http://review.gluster.org/#/c/8662/4 The infinite loop could be triggered if a fragment header of '00000000' was sent, causing the code in __socket_proto_state_machine() to loop indefinitely.
This issue has been addressed in the following products: Red Hat Storage 3.0 Native Client for RHEL 5 for Red Hat Storage Native Client for RHEL 6 for Red Hat Storage Via RHBA-2015:0038 https://rhn.redhat.com/errata/RHBA-2015-0038.html
This issue has been addressed in the following products: Red Hat Common for RHEL 7 Via RHBA-2015:0040 https://rhn.redhat.com/errata/RHBA-2015-0040.html