[12689] in bugtraq
Re: local users can panic linux kernel (was: SuSE syslogd
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Nov 22 17:40:24 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <199911201152.WAA08968@cairo.anu.edu.au>
Date: Sat, 20 Nov 1999 22:52:55 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: mixter@NEWYORKOFFICE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.04.9911190341190.349-200000@aviation.net> from
"Mixter" at Nov 19, 1999 03:59:00 AM
In some mail from Mixter, sie said:
>
> The impact of the syslogd Denial Of Service vulnerability seems to
> be bigger than expected. I found that syslog could not be stopped from
> responding by one or a few connections, since it uses select() calls
> to synchronously manage the connections to /dev/log. I made an attempt
> with the attached test code, which makes about 2000 connects to syslog,
> using multiple processes, and my system instantly died with the message:
> 'Kernel panic: can't push onto full stack'
Given that most other platforms use datagram sockets (of one type or another)
for syslog, can anyone explain the benefit of using streams sockets ? FWIW,
even the STREAMS driver used by Solaris has better operational properties
than this (only one receiving device).
A naive guess is to provide better reliability of sent messages. Denial of
Service issues (with datagram mode - flooding of packets) are still present,
just different and are arguably more difficult to deal with for little
overall gain. I'd venture to say that in a friendly environment, there is
no benefit in using stream sockets and in an unfriendly one, perhaps even
disadvantages.
Darren
