Thursday, June 6, 2019

[389-commits] [389-ds-base] branch 389-ds-base-1.4.0 updated: Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

This is an automated email from the git hooks/post-receive script.

tbordaz pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.

The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new 7b0e7f6 Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS
7b0e7f6 is described below

commit 7b0e7f6f51f6a117f6a40aa3967cad656eafb811
Author: Thierry Bordaz <tbordaz@redhat.com>
AuthorDate: Wed May 15 17:46:14 2019 +0200

Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

Bug Description:
A secure socket is configured in blocking mode. If an event
is detected on a secure socket a worker tries to receive the request.
If handshake occurs during the read, it can hang longer than
ioblocktimeout because it takes into account the socket option
rather than the timeout used for the ssl_Recv

Fix Description:
The fix is specific to secure socket and set this socket option
to do non blocking IO.

https://pagure.io/389-ds-base/issue/50329

Reviewed by: ?

Platforms tested: F28, RHEL7.6

Flag Day: no

Doc impact: no
---
ldap/servers/slapd/daemon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index c77e1f1..b1d41c8 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -3191,7 +3191,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)

if (secure) {
pr_socketoption.option = PR_SockOpt_Nonblocking;
- pr_socketoption.value.non_blocking = 0;
+ pr_socketoption.value.non_blocking = 1;
if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {
PRErrorCode prerr = PR_GetError();
slapi_log_err(SLAPI_LOG_ERR,

--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)