BugTraq
DoS for Ganglia Nov 06 2003 09:33PM
Jim Prewett (download hpc unm edu)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Center for High Performance Computing at UNM / Dopesquad
Security Advisory

Wed Nov 5 13:10:35 MST 2003

Discovery made by: James E. Prewett (download (at) hpc.unm (dot) edu [email concealed])
Product: Ganglia
Versions: 2.5.3 tested

There is an error in Ganglia's gmond such that specially crafted packets
will crash the service.

To reproduce this error, a packet must be sent advertising a user-defined
metric that has a name string of length 1. This packet cannot be sent
from the standar d client utility that encodes a single character name
string as being 2 bytes (o ne for the name character, one for the 0x00
byte). The hashval function (from lib/hash.c) returns the value of the
first character as the index into the hash array. If the value of this
character is larger than the hash array, then an invalid pointer will be
used to lock the entry and gmond will segfault.

Here is where the error is at (in hash.c in the hashval function):

hash_val = ((unsigned char *)key->data)[0];
for ( i = 1; i < key->size ; i++ )
hash_val = ( hash_val * 32 + ((unsigned char *)key->data)[i]) %
hash->size
;

So, when the length of the key is 1, the modulus is never performed, so
hash_val is the value of the first character in the key.

- --
James Prewett
Systems Team Leader Designated Security Officer
HPC Systems Engineer III @ HPC@UNM -- download (at) hpc.unm (dot) edu [email concealed] Jim (at) Prewett (dot) org [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/qr4hv/zdxjGBbZMRAsPnAJ9jqCJ5nBW7x12oJ9i/S02mDz+JPACfQh68
3QuKhfbAJ167pWmm5z0REnE=
=1Yw9
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus