nylon 0.2 (0.3?) DoS

2002-10-1000:00:00

vulners.com

JSON

Dear bugtraq@,

I found this bug in nylon 0.2, but according to CVS logs it was already
fixed in nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks
ago), http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer
version.

Details:

#if defined(SENDN) || defined(RECVN)
ssize_t
#if defined(RECVN)
recvn
#elif defined(SENDN)
sendn
#endif
(int s, void *buf, size_t len, int flags)
{
unsigned bytes = 0, bytes_left = len;

    while &#40;bytes_left &gt; 0&#41; {
            if &#40; &#40;bytes =
                      #if defined&#40;RECVN&#41;
                      recv
                      #elif defined&#40;SENDN&#41;
                      send
                      #endif
                      &#40;s, buf+&#40;len-bytes_left&#41;, bytes_left, flags&#41;&#41; != -1 &#41;
                    bytes_left -= bytes;
            else
                    return -1;
    }
    return len;

}
#endif /* defined(SENDN) || defined(RECVN) */

This function fails to check if recv() returns 0. The problem is if
remote side closes connection during recv(). In this case all recv()
calls for socket always return 0. Program enters into endless loop with
100% CPU usage. There is no any kind of timeout. Exploit is trivial.
nylon is in ports collection for FreeBSD and probably other systems.

References:

[1] Nylon 0.2 DoS source code (Unix/Windows)
http://www.security.nnov.ru/files/3nylont.c
[2] Different Proxy-related software
http://www.security.nnov.ru/soft

/ZARAZA

JSON

nylon 0.2 &#40;0.3?&#41; DoS

nylon 0.2 (0.3?) DoS