[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] AWK Problem

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] AWK Problem
From: "Helmut Hauser" <helmut.hauser@intraplan.de>
Date: Fri, 29 Aug 2003 11:01:27 +0200

We encountered a strange AWK Problem.

Problematic awk script command phrase on redhat 7.3 causing a DoS resulting
in a complete system crash.

If the file "xyz.dat" does not exist or is locked or file permission is
denied with using awk,

following offending phrase causes the crash:
   while (getline < "xyz.dat")

The correct use of awk is
   while ((getline < "xyz.dat") > 0)
or
   while (0 < (getline < "xyz.dat"))

This avoids an endless loop causing kernel panic., e.g. on redhat 7.3 Kernel
revision is 2.4.20.

Users do NOT have to have root privileges to bring the server down.

Excerpt from the man page:

The getline command returns 0 on end of file and -1 on  an
       error.   Upon an error, ERRNO contains a string describing
       the problem.

I notified Redhat on 11.03.2003 and got no answer.

Helmut Hauser
Systemadministration EDV
Intraplan Consult GmbH

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] [SECURITY] [DSA 274-1] New node packages fix remote root vulnerability
Next by Date: Re: [Full-Disclosure] Need contact in the BTOPENWORLD.COM security department
Prev by thread: [Full-Disclosure] [SECURITY] [DSA 274-1] New node packages fix remote root vulnerability
Next by thread: [Full-Disclosure] Authorities eye MSBlaster suspect
Index(es):
- Date
- Thread