[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] telnetd bug: Busy loop in io_drain can be abused for
|
From: |
Simon Josefsson |
|
Subject: |
Re: [bug-inetutils] telnetd bug: Busy loop in io_drain can be abused for DOS attack |
|
Date: |
Wed, 22 Aug 2012 13:20:45 +0200 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) |
Petr Malát <address@hidden> writes:
> Hello again,
> I found a problem in telnet demon in a function, which waits for reply
> from client. The problem is that it calls read() on non-blocking
> filedescriptor in a loop, until some data comes. If the client is evil
> and does not send a reply, but keeps the connection open, then server
> is calling read() again and again consuming CPU time. The problem can
> be solved by calling select() before reading from filedescriptor.
> Patch is attached.
> Petr
Thanks -- I have noticed this problem as well, and while I haven't
tested your patch, I think we should apply it.
/Simon
> PS: I'm not subscribed to the mailing list, please respond also on my address.
>
> --- inetutils-1.9.1/telnetd/utility.c 2012-08-22 12:24:32.000000000 +0200
> +++ inetutils-1.9.1/telnetd/utility.c 2012-08-22 12:46:56.642636000 +0200
> @@ -402,19 +402,23 @@ pty_read (void)
> void
> io_drain (void)
> {
> + fd_set rfds;
> +
> DEBUG (debug_report, 1, debug_output_data ("td: ttloop\r\n"));
> if (nfrontp - nbackp > 0)
> netflush ();
>
> -again:
> + FD_ZERO(&rfds);
> + FD_SET(net, &rfds);
> + if (1 != select(net + 1, &rfds, NULL, NULL, NULL))
> + {
> + syslog (LOG_INFO, "ttloop: select: %m\n");
> + exit (EXIT_FAILURE);
> + }
> +
> ncc = read (net, netibuf, sizeof netibuf);
> if (ncc < 0)
> {
> - if (errno == EAGAIN)
> - {
> - syslog (LOG_INFO, "ttloop: retrying");
> - goto again;
> - }
> syslog (LOG_INFO, "ttloop: read: %m\n");
> exit (EXIT_FAILURE);
> }