From 7b0e7f6f51f6a117f6a40aa3967cad656eafb811 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Jun 06 2019 14:30:24 +0000
Subject: Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS


Bug Description:
    A secure socket is configured in blocking mode. If an event
    is detected on a secure socket a worker tries to receive the request.
    If handshake occurs during the read, it can hang longer than
    ioblocktimeout because it takes into account the socket option
    rather than the timeout used for the ssl_Recv

Fix Description:
    The fix is specific to secure socket and set this socket option
    to do non blocking IO.

https://pagure.io/389-ds-base/issue/50329

Reviewed by: ?

Platforms tested: F28, RHEL7.6

Flag Day: no

Doc impact: no

---

diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index c77e1f1..b1d41c8 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -3191,7 +3191,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)
 
     if (secure) {
         pr_socketoption.option = PR_SockOpt_Nonblocking;
-        pr_socketoption.value.non_blocking = 0;
+        pr_socketoption.value.non_blocking = 1;
         if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {
             PRErrorCode prerr = PR_GetError();
             slapi_log_err(SLAPI_LOG_ERR,