Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
<== Date ==> <== Thread ==>

Subject: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request]
From: Ralph Lange <ralph.lange@gmx.de>
To: EPICS Tech Talk <tech-talk@aps.anl.gov>
Date: Mon, 15 Jan 2018 09:36:01 +0100
Dear Shuei,

I have created https://bugs.launchpad.net/epics-base/+bug/1743321 to track this issue.

Note, though, that Channel Access never claimed to be hardened. Even after fixing this behavior, an attacker on the local network will be able to cause all sorts of havoc by sending malformed network packages to CA servers and clients.
Channel Access is not intended for use in a hostile environment.

Thanks for tracking this down and pointing it out!

Cheers,
~Ralph


On Mon, Jan 15, 2018 at 9:13 AM, Shuei YAMADA <shuei.yamada@gmail.com> wrote:
Dear all,

Last april I posted to teck-talk an problem that cagateway runs away
on rare occasions ( https://epics.anl.gov/tech-talk/2017/msg00714.php
).I successfully reproduced the problem by UDP-port scan with nmap.
When I run nmap as following:

nmap -sU -p 5064 -A ip.address.of.cagateway

- all PVs subscribing via cagateway become disconnected,
- cagateway is eating up the CPU,
- no distinguishable log messege, no "zero length PV name in UDP
search request?" either,
- excas shows the same simptom.

There is no way to exiting the the wile() loop in
casDGClient::processDG() when program reaches at the end of while()
block with a condition such that:
- this->in.bytesPresent()>0 && dgInBytesConsumed == 0 && status ==
S_cas_success.

We are using base R3.14.12.3 for production and R3.15.5 for evaluation
at our site and both have the problem. Also R3.14.12.7 and R3.16.1
seem to have the same problem. Please find a naiive fix for this in
the attatchment.

best regards,
Shuei
--
                 ----------------------------------------------------
                 Shuei Yamada,
                 High Energy Accelerator Research Organization (KEK)
                 mailto:shuei@post.kek.jp
                 ----------------------------------------------------


Replies:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
References:
Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA

Navigate by Date:
Prev: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA
Next: Re: Latest version of adl2edl Kasemir, Kay
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
Navigate by Thread:
Prev: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA
Next: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
ANJ, 16 Jan 2018 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·