[tao-bugs] Ability to crash service with invalid input
worryelectric at gmail.com
Tue May 30 06:47:12 CDT 2017
Is that what would be preferred? I don't want to publicly disclose details
of a vulnerability in case it's used to affect users' services. Private
disclosure might be better?
On 30 May 2017 at 10:06, Johnny Willemsen <jwillemsen at remedy.nl> wrote:
> You can always open a pull request at https://github.com/DOCGroup/ACE_TAO
> with the proposed fixes for review.
> Best regards,
> Johnny Willemsen
> Remedy IT
> Postbus 81 | 6930 AB Westervoort | The Netherlandshttp://www.remedy.nl
> On 05/30/2017 10:55 AM, Electric Worry wrote:
> I've been doing some testing of TAO's resilience against malicious input
> and I think I've found a minor issue that might warrant some attention. It
> appears to only be a null pointer dereference, so is probably not
> exploitable, but it can cause a denial of service.
> I've just been testing against the MessengerServer from the Dev Guide
> Examples, but I believe this issue would be applicable against any
> application that uses TAO in a similar way.
> Rather than divulge details here, is there anyone I can discuss this with
> directly to ascertain whether this is an issue, and if so to allow for
> appropriate fixes to be applied?
> tao-bugs mailing listtao-bugs at list.isis.vanderbilt.eduhttp://list.isis.vanderbilt.edu/cgi-bin/mailman/listinfo/tao-bugs
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tao-bugs