[tao-bugs] Ability to crash service with invalid input
jwillemsen at remedy.nl
Wed May 31 02:45:47 CDT 2017
> Is that what would be preferred? I don't want to publicly disclose
> details of a vulnerability in case it's used to affect users' services.
> Private disclosure might be better?
When you submit a pull request with the necessary fixes you don't have
to disclose how to misuse it, just contribute the change to fix it.
> On 30 May 2017 at 10:06, Johnny Willemsen <jwillemsen at remedy.nl
> <mailto:jwillemsen at remedy.nl>> wrote:
> You can always open a pull request at
> <https://github.com/DOCGroup/ACE_TAO> with the proposed fixes for
> Best regards,
> Johnny Willemsen
> Remedy IT
> Postbus 81 | 6930 AB Westervoort | The Netherlands
> On 05/30/2017 10:55 AM, Electric Worry wrote:
>> I've been doing some testing of TAO's resilience against malicious
>> input and I think I've found a minor issue that might warrant some
>> attention. It appears to only be a null pointer dereference, so is
>> probably not exploitable, but it can cause a denial of service.
>> I've just been testing against the MessengerServer from the Dev
>> Guide Examples, but I believe this issue would be applicable
>> against any application that uses TAO in a similar way.
>> Rather than divulge details here, is there anyone I can discuss
>> this with directly to ascertain whether this is an issue, and if
>> so to allow for appropriate fixes to be applied?
>> tao-bugs mailing list
>> tao-bugs at list.isis.vanderbilt.edu
>> <mailto:tao-bugs at list.isis.vanderbilt.edu>
More information about the tao-bugs