This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
DoS in RPC implementation (CVE-2011-4069)
- From: Aurelien Jarno <aurelien at aurel32 dot net>
- To: libc-alpha at sourceware dot org
- Date: Sat, 2 Jun 2012 22:19:12 +0200
- Subject: DoS in RPC implementation (CVE-2011-4069)
I have been informed that Debian eglibc is vulnerable to CVE-2011-4069,
a DoS in RPC implementation. I have been provided the following patch,
originating from Red Hat [1] and Ubuntu [2].
Instead of having this patch in every distribution, it might be a good
idea to merge that directly upstream. Unfortunately I don't know who to
give the credit to, so I don't know how to write the changelog in that
case.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=767299
[2] https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716
Index: b/sunrpc/svc_tcp.c
===================================================================
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
#include <sys/poll.h>
#include <errno.h>
#include <stdlib.h>
+#include <time.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -243,6 +244,11 @@ again:
{
if (errno == EINTR)
goto again;
+ if (errno == EMFILE)
+ {
+ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+ __nanosleep(&ts , NULL);
+ }
return FALSE;
}
/*
Index: b/sunrpc/svc_udp.c
===================================================================
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
#include <sys/socket.h>
#include <errno.h>
#include <libintl.h>
+#include <time.h>
#ifdef IP_PKTINFO
#include <sys/uio.h>
@@ -272,8 +273,16 @@ again:
(int) su->su_iosz, 0,
(struct sockaddr *) &(xprt->xp_raddr), &len);
xprt->xp_addrlen = len;
- if (rlen == -1 && errno == EINTR)
- goto again;
+ if (rlen == -1)
+ {
+ if (errno == EINTR)
+ goto again;
+ if (errno == EMFILE)
+ {
+ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+ __nanosleep(&ts , NULL);
+ }
+ }
if (rlen < 16) /* < 4 32-bit ints? */
return FALSE;
xdrs->x_op = XDR_DECODE;
Index: b/sunrpc/svc_unix.c
===================================================================
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -46,6 +46,7 @@
#include <errno.h>
#include <stdlib.h>
#include <libintl.h>
+#include <time.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -245,6 +246,11 @@ again:
{
if (errno == EINTR)
goto again;
+ if (errno == EMFILE)
+ {
+ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+ __nanosleep(&ts , NULL);
+ }
return FALSE;
}
/*
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net