Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
The new packet buffer code (and checks) in v20 revealed a long standing issue
in fastd: A buffer with an invalid packet will just leak.
This results in an assert with v20 and memory exhaustion in earlier versions.
While v21 (already in unstable) fixed it, the memory exhaustion is still a
problem for stable and oldstable.
[ Impact ]
The problem can be used to DoS a system. Only some handcrafted (invalid)
UDP packets have to be send to a server.
[ Tests ]
Tested on a server with an attacker which injects invalid packets on the
relevant UDP port. v20 "crashed" after a couple of packets. v18 (currently in
[old]stable) required a couple of minutes to exhaust all memory of the system.
Invalid packets can for example easily created using:
iperf -u -c target.server.example.net -p 10000 -t 3000 -b 40M
The problem went completely away after v21 was installed or the proposed
upload from this ticket was installed.
The stability test of the fixed version is ongoing.
[ Risks ]
None known at the moment
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Other info ]
See http://bugs.debian.org/972521 for the unstable bug.
I have not yet uploaded the change to stable but will do this after I get an
approval for the attached change.
Kind regards,
Svendiff -Nru fastd-18/debian/changelog fastd-18/debian/changelog --- fastd-18/debian/changelog 2016-05-13 13:37:11.000000000 +0200 +++ fastd-18/debian/changelog 2020-10-19 22:42:50.000000000 +0200 @@ -1,3 +1,12 @@ +fastd (18-2+deb9u1) stretch; urgency=medium + + * debian/patches: + - Add 0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch, + Fix DoS'able memory leak when receiving too many invalid packets + (Closes: #972521) + + -- Sven Eckelmann <s...@narfation.org> Mon, 19 Oct 2020 22:42:50 +0200 + fastd (18-2) unstable; urgency=medium * Fix operation under systemd (Closes: #823801). diff -Nru fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch --- fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 1970-01-01 01:00:00.000000000 +0100 +++ fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 2020-10-19 22:42:50.000000000 +0200 @@ -0,0 +1,43 @@ +From: Matthias Schiffer <mschif...@universe-factory.net> +Date: Mon, 19 Oct 2020 21:08:16 +0200 +Subject: receive: fix buffer leak when receiving invalid packets + +For fastd versions before v20, this was just a memory leak (which could +still be used for DoS, as it's remotely triggerable). With the new +buffer management of fastd v20, this will trigger an assertion failure +instead as soon as the buffer pool is empty. + +Origin: upstream, https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea +Bug-Debian: https://bugs.debian.org/972521 +--- + src/receive.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/receive.c b/src/receive.c +index 732d4a7..a3ecfe3 100644 +--- a/src/receive.c ++++ b/src/receive.c +@@ -186,6 +186,11 @@ static inline void handle_socket_receive_known(fastd_socket_t *sock, const fastd + + case PACKET_HANDSHAKE: + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer); ++ break; ++ ++ default: ++ fastd_buffer_free(buffer); ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr); + } + } + +@@ -211,6 +216,11 @@ static inline void handle_socket_receive_unknown(fastd_socket_t *sock, const fas + + case PACKET_HANDSHAKE: + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer); ++ break; ++ ++ default: ++ fastd_buffer_free(buffer); ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr); + } + } + diff -Nru fastd-18/debian/patches/series fastd-18/debian/patches/series --- fastd-18/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ fastd-18/debian/patches/series 2020-10-19 22:42:50.000000000 +0200 @@ -0,0 +1 @@ +0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch
signature.asc
Description: This is a digitally signed message part.
