-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Center for High Performance Computing at UNM / Dopesquad
Security Advisory
Wed Nov 5 13:10:35 MST 2003
Discovery made by: James E. Prewett (download@hpc.unm.edu)
Product: Ganglia
Versions: 2.5.3 tested
There is an error in Ganglia's gmond such that specially crafted packets
will crash the service.
To reproduce this error, a packet must be sent advertising a user-defined
metric that has a name string of length 1. This packet cannot be sent
from the standar d client utility that encodes a single character name
string as being 2 bytes (o ne for the name character, one for the 0x00
byte). The hashval function (from lib/hash.c) returns the value of the
first character as the index into the hash array. If the value of this
character is larger than the hash array, then an invalid pointer will be
used to lock the entry and gmond will segfault.
Here is where the error is at (in hash.c in the hashval function):
hash_val = ((unsigned char *)key->data)[0];
for ( i = 1; i < key->size ; i++ )
hash_val = ( hash_val * 32 + ((unsigned char *)key->data)[i]) %
hash->size
;
So, when the length of the key is 1, the modulus is never performed, so
hash_val is the value of the first character in the key.
- --
James Prewett
Systems Team Leader Designated Security Officer
HPC Systems Engineer III @ HPC@UNM -- download@hpc.unm.edu Jim@Prewett.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/qr4hv/zdxjGBbZMRAsPnAJ9jqCJ5nBW7x12oJ9i/S02mDz+JPACfQh68
3QuKhfbAJ167pWmm5z0REnE=
=1Yw9
-----END PGP SIGNATURE-----
