Vigil@nce: OpenSolaris, denial of service via tcp_sendmsg
November 2009 by Vigil@nce
A local attacker can generate a memory leak when TCP messages are
sent, in order to generate a denial of service.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user account
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 12/11/2009
IMPACTED PRODUCTS
– OpenSolaris
DESCRIPTION OF THE VULNERABILITY
The sendmsg() function sends messages. When the TCP protocol is
used, sendmsg() calls tcp_sendmsg() from the
usr/src/uts/common/inet/tcp/tcp.c file.
A message contains a field named "msg_control" to indicate
ancillary data. The tcp_sendmsg() function does not support this
data type, and returns an error. However, a memory area previously
allocated is not freed.
A local attacker can therefore generate a memory leak when TCP
messages are sent, in order to generate a denial of service.
CHARACTERISTICS
– Identifiers: 266488, 6872588, BID-36992, VIGILANCE-VUL-9194
– Url: http://vigilance.fr/vulnerability/OpenSolaris-denial-of-service-via-tcp-sendmsg-9194