This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: DoS in RPC implementation (CVE-2011-4069)


On Mon, Jun 04, 2012 at 11:28:15AM -0400, Carlos O'Donell wrote:
> On 6/4/2012 2:44 AM, Siddhesh Poyarekar wrote:
> > On Sun, 3 Jun 2012 18:48:14 -0400, Carlos wrote:
> >> The patch was uploaded by Vincent Danen on the RH bugzilla in [1].
> >>
> >> I don't see Danen explicitly in the FSF's copyright.list, but he
> >> might be covered under his employer.
> >>
> >> I believe that Vincent works for Red Hat, but I don't have an email
> >> for him.
> >>
> >> Jeff,
> >>
> >> Does Vincent work at Red Hat?
> >>
> >> If he does can you find out if he is actually the author of the patch
> >> in [1] please?
> >>
> > 
> > Vincent Danen does work for Red Hat, but the original author of the
> > patch is Martin Osvald <mosvald@redhat.com>.
> 
> Siddhesh,
> 
> Thanks for digging this out. Given that Martin works for Red Hat 
> this is covered under the blanket Red Hat copyright.
> 
> Aurelien,
> 
> Could you please re-submit the patch with the proper copyright
> assignment?
> 

Here it is. It's basically the same patch as included in the RedHat
package, rebased on the current git, and with the indentation fixed.

The goal of this patch is to fix a denial of service flaw found in the
remote procedure call (RPC) implementation in glibc. A remote attacker
able to open a large number of connections to an RPC service that is 
using the RPC implementation from glibc, could use this flaw to make 
that service use an excessive amount of CPU time.

2012-06-06  Martin Osvald  <mosvald@redhat.com> 

	* sunrpc/svc_tcp.c: Include <time.h>. 
	(rendezvous_request): Sleep 50ms when no file descriptor are
	available.
	* sunrpc/svc_unix.c: Ditto.
	* sunrpc/svc_udp.c: Include <time.h>.
	(svcudp_recv): Sleep 50ms when no file descriptor are available.

diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
index eb61549..cc39090 100644
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
 #include <sys/poll.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <time.h>
 
 #include <wchar.h>
 #include <libio/iolibio.h>
@@ -247,6 +248,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+	{
+	  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+	  __nanosleep(&ts , NULL);
+	}
       return FALSE;
     }
   /*
diff --git a/sunrpc/svc_udp.c b/sunrpc/svc_udp.c
index 6c4d75a..0da120b 100644
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef IP_PKTINFO
 #include <sys/uio.h>
@@ -277,8 +278,16 @@ again:
 		       (int) su->su_iosz, 0,
 		       (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+	goto again;
+      if (errno == EMFILE)
+	{
+	  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+	  __nanosleep(&ts , NULL);
+	}
+    }
   if (rlen < 16)		/* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
index 94507b2..a8929cc 100644
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -47,6 +47,7 @@
 #include <stdlib.h>
 #include <libintl.h>
 #include <wchar.h>
+#include <time.h>
 
 /*
  * Ops vector for AF_UNIX based rpc service handle
@@ -244,6 +245,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+	{
+	  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+	  __nanosleep(&ts , NULL);
+	}
       return FALSE;
     }
   /*

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]