CVE-2012-0845

First published: Mon Feb 13 2012(Updated: )

Description of problem: When using SimpleXMLRPCServer from the standard library, if a client connection is closed before the complete request body has been received the server will enter an infinite loop consuming memory. Version-Release number of selected component (if applicable): python-2.6.6-29.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Start the server: <span class="quote">&gt;&gt;&gt; import SimpleXMLRPCServer, SocketServer &gt;&gt;&gt; class Server(SocketServer.ThreadingMixIn, SimpleXMLRPCServer.SimpleXMLRPCServer): pass</span> ... <span class="quote">&gt;&gt;&gt; Server(('0.0.0.0', 12345)).serve_forever()</span> 2. Simulate a malicious or flakey client: $ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345 ^C Actual results: Server goes nuts, with a thread stuck in an infinite loop eating memory. Expected results: Bad request is discarded. Additional info: The bug is in /usr/lib64/python2.6/SimpleXMLRPCServer.py at line 453: # Get arguments by reading body of request. # We read this in chunks to avoid straining # socket.read(); around the 10 or 15Mb mark, some platforms # begin to have problems (bug #792570). max_chunk_size = 10*1024*1024 size_remaining = int(self.headers["content-length"]) L = [] while size_remaining: chunk_size = min(size_remaining, max_chunk_size) L.append(self.rfile.read(chunk_size)) size_remaining -= len(L[-1]) data = ''.join(L) This code does not correctly handle EOF from self.rfile.read().

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• collector/launchpad-cve
• source/Launchpad
• agent/weakness
• agent/severity
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2012-0845
• agent/software-canonical-lookup
• collector/mitre-cve
• source/MITRE
• collector/usn-cve
• source/Ubuntu
• agent/references
• agent/remedy
• agent/last-modified-date
• agent/trending
• agent/source
• agent/author
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup-request
• collector/nvd-index
• agent/tags
• agent/softwarecombine
• agent/description
• agent/event
• collector/security-tracker-debian
• source/Debian
• package-manager/redhat
• vendor/python
• canonical/python 2.7
• version/python 2.7/2.6.7
• version/python 2.7/0.9.0
• version/python 2.7/0.9.1
• version/python 2.7/1.2
• version/python 2.7/1.3
• version/python 2.7/1.5.2
• version/python 2.7/1.6
• version/python 2.7/1.6.1
• version/python 2.7/2.0
• version/python 2.7/2.0.1
• version/python 2.7/2.1
• version/python 2.7/2.1.1
• version/python 2.7/2.1.2
• version/python 2.7/2.1.3
• version/python 2.7/2.2
• version/python 2.7/2.2.1
• version/python 2.7/2.2.2
• version/python 2.7/2.2.3
• version/python 2.7/2.3.1
• version/python 2.7/2.3.2
• version/python 2.7/2.3.3
• version/python 2.7/2.3.4
• version/python 2.7/2.3.5
• version/python 2.7/2.3.7
• version/python 2.7/2.4.1
• version/python 2.7/2.4.2
• version/python 2.7/2.4.3
• version/python 2.7/2.4.4
• version/python 2.7/2.4.6
• version/python 2.7/2.5.1
• version/python 2.7/2.5.2
• version/python 2.7/2.5.3
• version/python 2.7/2.5.4
• version/python 2.7/2.5.6
• version/python 2.7/2.5.150
• version/python 2.7/2.6.1
• version/python 2.7/2.6.2
• version/python 2.7/2.6.3
• version/python 2.7/2.6.4
• version/python 2.7/2.6.5
• version/python 2.7/2.6.6
• version/python 2.7/2.6.2150
• version/python 2.7/2.6.6150
• version/python 2.7/2.7.1
• version/python 2.7/2.7.1-rc1
• version/python 2.7/2.7.2-rc1
• version/python 2.7/2.7.1150
• version/python 2.7/2.7.2150
• version/python 2.7/3.0
• version/python 2.7/3.0.1
• version/python 2.7/3.1
• version/python 2.7/3.1.1
• version/python 2.7/3.1.2
• version/python 2.7/3.1.3
• version/python 2.7/3.1.4
• version/python 2.7/3.2
• version/python 2.7/3.2-alpha
• version/python 2.7/3.2.2150
• package-manager/debian