PR#50398: Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS - 389-ds-base

389-ds-base

#50398 Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

Closed 3 years ago by spichugi. Opened 4 years ago by tbordaz.

tbordaz/389-ds-base ticket-50329 into master

Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

Thierry Bordaz • 4 years ago

f20e982

ldap/servers/slapd/daemon.c

file modified

+1 -1

		`@@ -3174,7 +3174,7 @@`

		`if (secure) {`
		`pr_socketoption.option = PR_SockOpt_Nonblocking;`
		`- pr_socketoption.value.non_blocking = 0;`
		`+ pr_socketoption.value.non_blocking = 1;`
		`if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {`
		`PRErrorCode prerr = PR_GetError();`
		`slapi_log_err(SLAPI_LOG_ERR,`

tbordaz commented 4 years ago

Bug Description:
A secure socket is configured in blocking mode. If an event
is detected on a secure socket a worker tries to receive the request.
If handshake occurs during the read, it can hang longer than
ioblocktimeout because it takes into account the socket option
rather than the timeout used for the ssl_Recv

Fix Description:
The fix is specific to secure socket and set this socket option
to do non blocking IO.

https://bugzilla.redhat.com/show_bug.cgi?id=1668457

Reviewed by: ?

Platforms tested: F28

Flag Day: no

Doc impact: no

tbordaz commented 4 years ago

This patch has been tested since May 17th. So far no regression reported and original issues (hanging ssl connection and replication delay/hang) do no longer happen

rebased onto f20e982

4 years ago

tbordaz commented 4 years ago

anyone would be interested reviewing it ? :)