[Bug 309746] [NEW] atftpd crash - denial of service
Launchpad Bug Tracker
309746 at bugs.launchpad.net
Sun Mar 22 19:15:09 GMT 2009
You have been subscribed to a public bug by Mackenzie Morgan (maco.m):
Binary package hint: atftpd
Description: Ubuntu 8.04.1
Release: 8.04
Architecture: i386
Source: atftp
Version: 0.7.dfsg-3
Atftpd crash with signal 11. I can force atftpd to crash during a tftp
session by sending it a malformed tftp error packet. Client ask for a
file - atftpd sent first block of data - client send a malformed tftp
error packet only consisting of the error opcode and the errno - but
without the required error string. Hereafter atftpd crash with signal
11.
Atftpd use a customized version of Strncpy there ensure the copied
string is null terminated. The implementation did not take into account
that the string size could be zero.
I have attached a patch which solve the problem. I have also a small
perl script there create the malformed tftp session.
Regards,
Jakob Hilmer - jakob at hilmer.dk
** Affects: atftp (Ubuntu)
Importance: Medium
Status: Triaged
** Affects: atftp (Debian)
Importance: Unknown
Status: New
** Tags: bitesize
--
atftpd crash - denial of service
https://bugs.edge.launchpad.net/bugs/309746
You received this bug notification because you are a member of Ubuntu Sponsors for universe, which is a direct subscriber.
More information about the Ubuntu-universe-sponsors
mailing list