Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   OpenSLP Vendors:
OpenSLP Null Pointer Dereference in _xrealloc() Lets Remote Users Consume Excessive Memory Resources
SecurityTracker Alert ID:  1035916
SecurityTracker URL:
CVE Reference:   CVE-2016-4912   (Links to External Site)
Date:  May 19 2016
Impact:   Denial of service via network

Version(s): 2.0.0
Description:   A vulnerability was reported in OpenSLP. A remote user can consume excessive memory on the target system.

A remote user can send a specially crafted request to trigger a null pointer dereference. A remote user can issue multiple requests to consume excessive memory on the target system.

The _xrealloc() function in 'slp_xmalloc.c' is affected.

Yuguang Cai (Qihoo 360) reported this vulnerability.

Impact:   A remote user can consume excessive memory resources on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [oss-security] Re: CVE Request: null pointer deref in openslp, can be triggered remotely

Hash: SHA256

> return value from malloc isn't checked

Our guess is that this probably wasn't an intentional design choice,
and thus it's a security-related bug for some deployments. Use


The oss-security message and the rhbz document seem to describe the
impact in different ways, i.e., "Basically return value from malloc
isn't checked ... This can be triggered remotely by sending a large
number of requests, which could possibly lead malloc to fail at one
point, causing crash via null pointer deref" versus "A remote attacker
could potentially deplete the memory of the server." For purposes of
CVE, this type of scenario is often not interpreted as two independent
problems. Roughly speaking, it is interpreted as "The unchecked malloc
return value is the primary problem. This problem becomes reachable
for reasons that aren't fully described, but those reasons might
involve a design limitation in which the memory consumption of
requests is not strictly controlled." says "The
OpenSLP daemon (slpd) must run as root initially in order to bind to
the well known SLP port. However, slpd will relinquish root privileges
and suid() to the daemon user (if it exists)." Thus, maybe the
affected code is running as root with large or unbounded resource
limits in some situations.

> Because of the way memory works on modern linux systems, this one seems
> to be difficult to exploit

Maybe there is a relevant non-Linux case? says "the OpenSLP code has
proven to be very portable. It currently works on many operating
systems including: Linux, BSD, Solaris, Tru64, HPUX, UnixWare, OSR5,
and Win32."

Finally, although perhaps not related to the issue of whether a CVE ID
should exist, that Security.html page says "If you find a security
hole in OpenSLP, please bring it to the attention of the OpenSLP
maintainer" and names John Calcote. Possibly Red Hat could do this
upstream notification if that hasn't already happened.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC