[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] simple DoS against SKS's HKP interface :/
From: |
John Clizbe |
Subject: |
Re: [Sks-devel] simple DoS against SKS's HKP interface :/ |
Date: |
Mon, 23 Apr 2012 22:16:02 -0500 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.20pre) Gecko/20110606 Mnenhy/0.8.5 SeaMonkey/2.0.15pre |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA256
Johan van Selst wrote:
> Daniel Kahn Gillmor wrote:
>> Fix?
>> ----
>> I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
>> It seems to be related to the event loop model on the sks db process,
>> though. Looking at it from a system call level: either sks should be
>> multi-threaded, or reads from network sockets should be non-blocking,
>> and bundled into an aggregate select() statement so that concurrent
>> requests can be properly interleaved.
>
> This seems to be the best way forward. Is anybody on this list actually
> looking into the suggested solution? Most people here, myself included,
> don't seem to be very fluent in OCaml programming. But I would
> definately appreciate it if somebody could look into this and come up
> with a real fix, rather than best-practice workarounds with reverse
> webproxies.
Oddly, I was looking at a different problem last night and noticed this
snippet appearing twice in wserver.ml:
188-189
let rec parse_headers map cin =
let line = input_line cin in (* DOS attack: input_line is unsafe on
sockets *)
201-202
let parse_request cin =
let line = input_line cin in (* DOS attack: input_line is unsafe on
sockets *)
So, it would appear to my barely apprentice level OCaml, that our
solution lies in a socket-safe implementation of input_line
- -John
- --
John P. Clizbe Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or
mailto:address@hidden
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12-git-509fe4ce-2012-01-31 (Windows XP)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Comment: Be part of the £7 ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPlhrvAAoJECMTMVxDW9A0P7AH/RnE96vobo4zm8t+jsD2U0HA
VH7aIqXPn95DNedG8kl8bbIjRkQFH/JdmTVcE0MMAuKS5B1MGKrdiyjOdpDDebZE
bjN9kgj9laiWXybY2Q9JAdDBXRsyCpeQPOiUCs5xoHL4NbWP61r3D37wRXssfWOL
WZhfNWanFJdUltFE3Mct9mezxa+XqQJSl8lfNkcNlZk8TORPEwo7SG/iTcPeAjKL
yiAPlZyNj63Ynkj9G/v3C5NJocVjhsXOGjK99QAVaCyGGK/PypBvE+RlSLF1O9gA
gRmsSrCWTIlRdCynyrqY5TraJaxCAH47TukDtP4suIep/FU63zktM72FV/jGNlaI
XgQBEQgABgUCT5Ya7wAKCRDrXhnz1laYJae/AP92fyLBNwIrucpWLAex1/k9FqOW
8vkvWhOQ1h+rR9DCSQD7BWesAuVLqjWo0z4bgvhDhYzqWX+6nGo2qTnNiNYd1Iw=
=1nMU
-----END PGP SIGNATURE-----