Netatalk Integer Underflow Vulnerability in DSI Write Handling Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Netatalk versions 1.5.0 through 4.4.2. The issue arises from an integer underflow in the 'dsi_writeinit()' function, which allows an unauthenticated attacker to miscalculate payload sizes. This miscalculation can force an 'afpd' child process to spend excessive time handling data, effectively causing a denial-of-service condition. The vulnerability can be exploited before authentication in certain protocol states, but it does not involve memory corruption or remote code execution.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing affected processes to become unresponsive or to consume excessive resources.

Remediation

Users can upgrade to Netatalk version 4.4.3 or later, which includes the necessary patch. Alternatively, the patch can be applied to a Netatalk 4.4.2 source tree. Netatalk administrators are advised to restrict access to the AFP port (548) from untrusted networks using firewall rules, to mitigate exposure until the patch is applied.