Your message dated Wed, 21 Oct 2020 22:58:56 +0100 with message-id <f21fe9e6bc0687ad2523189af5de777ab1833add.camel@adam-barratt.org.uk> and subject line Re: Bug#972652: stretch-pu: package fastd/18-2+deb9u1 has caused the Debian Bug report #972652, regarding stretch-pu: package fastd/18-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 972652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972652 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: stretch-pu: package fastd/18-2+deb9u1
- From: Sven Eckelmann <sven@narfation.org>
- Date: Wed, 21 Oct 2020 22:34:50 +0200
- Message-id: <[🔎] 6885253.CyXYBnHSc0@sven-edge>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] The new packet buffer code (and checks) in v20 revealed a long standing issue in fastd: A buffer with an invalid packet will just leak. This results in an assert with v20 and memory exhaustion in earlier versions. While v21 (already in unstable) fixed it, the memory exhaustion is still a problem for stable and oldstable. [ Impact ] The problem can be used to DoS a system. Only some handcrafted (invalid) UDP packets have to be send to a server. [ Tests ] Tested on a server with an attacker which injects invalid packets on the relevant UDP port. v20 "crashed" after a couple of packets. v18 (currently in [old]stable) required a couple of minutes to exhaust all memory of the system. Invalid packets can for example easily created using: iperf -u -c target.server.example.net -p 10000 -t 3000 -b 40M The problem went completely away after v21 was installed or the proposed upload from this ticket was installed. The stability test of the fixed version is ongoing. [ Risks ] None known at the moment [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Other info ] See http://bugs.debian.org/972521 for the unstable bug. I have not yet uploaded the change to stable but will do this after I get an approval for the attached change. Kind regards, Svendiff -Nru fastd-18/debian/changelog fastd-18/debian/changelog --- fastd-18/debian/changelog 2016-05-13 13:37:11.000000000 +0200 +++ fastd-18/debian/changelog 2020-10-19 22:42:50.000000000 +0200 @@ -1,3 +1,12 @@ +fastd (18-2+deb9u1) stretch; urgency=medium + + * debian/patches: + - Add 0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch, + Fix DoS'able memory leak when receiving too many invalid packets + (Closes: #972521) + + -- Sven Eckelmann <sven@narfation.org> Mon, 19 Oct 2020 22:42:50 +0200 + fastd (18-2) unstable; urgency=medium * Fix operation under systemd (Closes: #823801). diff -Nru fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch --- fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 1970-01-01 01:00:00.000000000 +0100 +++ fastd-18/debian/patches/0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patch 2020-10-19 22:42:50.000000000 +0200 @@ -0,0 +1,43 @@ +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Mon, 19 Oct 2020 21:08:16 +0200 +Subject: receive: fix buffer leak when receiving invalid packets + +For fastd versions before v20, this was just a memory leak (which could +still be used for DoS, as it's remotely triggerable). With the new +buffer management of fastd v20, this will trigger an assertion failure +instead as soon as the buffer pool is empty. + +Origin: upstream, https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea +Bug-Debian: https://bugs.debian.org/972521 +--- + src/receive.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/receive.c b/src/receive.c +index 732d4a7..a3ecfe3 100644 +--- a/src/receive.c ++++ b/src/receive.c +@@ -186,6 +186,11 @@ static inline void handle_socket_receive_known(fastd_socket_t *sock, const fastd + + case PACKET_HANDSHAKE: + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer); ++ break; ++ ++ default: ++ fastd_buffer_free(buffer); ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr); + } + } + +@@ -211,6 +216,11 @@ static inline void handle_socket_receive_unknown(fastd_socket_t *sock, const fas + + case PACKET_HANDSHAKE: + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer); ++ break; ++ ++ default: ++ fastd_buffer_free(buffer); ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr); + } + } + diff -Nru fastd-18/debian/patches/series fastd-18/debian/patches/series --- fastd-18/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ fastd-18/debian/patches/series 2020-10-19 22:42:50.000000000 +0200 @@ -0,0 +1 @@ +0001-receive-fix-buffer-leak-when-receiving-invalid-packe.patchAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: Sven Eckelmann <sven@narfation.org>, 972652-done@bugs.debian.org
- Subject: Re: Bug#972652: stretch-pu: package fastd/18-2+deb9u1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Wed, 21 Oct 2020 22:58:56 +0100
- Message-id: <f21fe9e6bc0687ad2523189af5de777ab1833add.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 6885253.CyXYBnHSc0@sven-edge>
- References: <[🔎] 6885253.CyXYBnHSc0@sven-edge>
On Wed, 2020-10-21 at 22:34 +0200, Sven Eckelmann wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian.org@packages.debian.org > Usertags: pu stretch has been handled by the LTS Team since July, so you'll need to discuss any possible updates to packages there with them. See https://wiki.debian.org/LTS Regards, Adam
--- End Message ---