Hi,
We currently stumbled upon a memory leak in OpenVas when creating credentials using the GMP Python API.
To reproduce this issue we used the “create_credential” function in the Python library with the name, credential_type, login and password arguments. The password argument value though was ‘None’. Looking at the library code this puts an xml request together but with no password element added. This is then sent to using GMP protocol as a command.
We then detected the following error in the logs:
sd main:MESSAGE:2019-05-21 14h46.50 utc:9: openvassd 6.0.0 started
sd main:MESSAGE:2019-05-21 14h48.50 utc:202: Starts a new scan. Target(s) : 10.12.42.68, with max_hosts = 30 and max_checks = 10
sd main:MESSAGE:2019-05-21 14h48.50 utc:209: Testing 10.12.42.68 [209]
lib nasl:MESSAGE:2019-05-21 14h49.59 utc:4610: Function ssh_login called from ssh_proto_version.nasl: Failed to set SSH key type ‘ecdsa-sha2-nistp256’: Setting method: no algorithm for method “server host key algo” (ecdsa-sha2-nistp256)
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function (null) called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function http_recv_headers2 called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function (null) called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function http_recv_headers2 called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function (null) called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function http_recv_headers2 called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
lib misc:MESSAGE:2019-05-21 14h51.19 utc:8427: Function (null) called from http_header_value_format_string.nasl: Severe bug! Unhandled transport layer -1 (fd=1000000).
The last two lines keep appearing a loop and we get no response back so the connection on the client side times out.
This generates an infinite number of core files (until it hits the limit )
Please let me know if I have added this issue in the wrong location so I can put in the right place. I suppose not providing a password element for creating credentials should respond with a failure and inform user to provide password rather than end up in a loop.
Thank you.
Malcolm