git.linux-nfs.org Git - steved/libtirpc.git/commit

author	Dai Ngo <dai.ngo@oracle.com>
	Sat, 21 Aug 2021 17:16:23 +0000 (13:16 -0400)
committer	Steve Dickson <steved@redhat.com>
	Sat, 21 Aug 2021 17:17:24 +0000 (13:17 -0400)
commit	86529758570cef4c73fb9b9c4104fdc510f701ed
tree	a30e5832e37b11d8b200ce5cb1d0d6fbdfdb6bd7	tree \| snapshot
parent	7089bb02714e23b9c737c22d64f1ee3b256e45f4	commit \| diff

Fix DoS vulnerability in libtirpc

Currently svc_run does not handle poll timeout and rendezvous_request
does not handle EMFILE error returned from accept(2 as it used to.
These two missing functionality were removed by commit b2c9430f46c4.

The effect of not handling poll timeout allows idle TCP conections
to remain ESTABLISHED indefinitely. When the number of connections
reaches the limit of the open file descriptors (ulimit -n) then
accept(2) fails with EMFILE. Since there is no handling of EMFILE
error this causes svc_run() to get in a tight loop calling accept(2).
This resulting in the RPC service of svc_run is being down, it's
no longer able to service any requests.

RPC service rpcbind, statd and mountd are effected by this
problem.

Fix by enhancing rendezvous_request to keep the number of
SVCXPRT conections to 4/5 of the size of the file descriptor
table. When this thresold is reached, it destroys the idle
TCP connections or destroys the least active connection if
no idle connnction was found.

Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
Signed-off-by: dai.ngo@oracle.com
Signed-off-by: Steve Dickson <steved@redhat.com>

INSTALL	[changed from file to symlink]	diff \| blob \| history
src/svc.c		diff \| blob \| history
src/svc_vc.c		diff \| blob \| history