From 97648fc257a17d71fe256990efe703afb7b4e48b Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 10 Feb 2010 11:11:42 -0800 Subject: [PATCH] Disable kpasswdd error replies to completely malformed requests Only send an error reply if the request passes basic verification. Otherwise, kpasswdd would reply to every UDP packet, allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP packet with a source address of another UDP service that also replies to every packet. Also suppress the error reply if ap_req_len is 0, since this indicates an error packet. An error packet may be the result of a ping-pong attacker pointing us at another kpasswdd. Signed-off-by: Love Hornquist Astrand --- kpasswd/kpasswdd.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c index f14211602..5ba459cf3 100644 --- a/kpasswd/kpasswdd.c +++ b/kpasswd/kpasswdd.c @@ -447,13 +447,27 @@ verify (krb5_auth_context *auth_context, krb5_data krb_priv_data; krb5_realm *r; + /* + * Only send an error reply if the request passes basic length + * verification. Otherwise, kpasswdd would reply to every UDP packet, + * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP + * packet with a source address of another UDP service that also replies + * to every packet. + * + * Also suppress the error reply if ap_req_len is 0, which indicates + * either an invalid request or an error packet. An error packet may be + * the result of a ping-pong attacker pointing us at another kpasswdd. + */ pkt_len = (msg[0] << 8) | (msg[1]); pkt_ver = (msg[2] << 8) | (msg[3]); ap_req_len = (msg[4] << 8) | (msg[5]); if (pkt_len != len) { krb5_warnx (context, "Strange len: %ld != %ld", (long)pkt_len, (long)len); - reply_error (NULL, s, sa, sa_size, 0, 1, "Bad request"); + return 1; + } + if (ap_req_len == 0) { + krb5_warnx (context, "Request is error packet (ap_req_len == 0)"); return 1; } if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&