RnJvbTogQm9kbyBTdHJvZXNzZXIgPGJzdHJvZXNzZXJAdHMuZnVqaXRzdS5jb20+CkRhdGU6
IFRodSwgMDkgT2N0IDIwMTQgMTM6MDY6MTkgKzAyMDAKU3ViamVjdDogW25mcy11dGlsc10g
W1BBVENIIDMvM10gcnBjLm1vdW50ZDogc2V0IGxpYnRpcnBjIG5vbmJsb2NraW5nIG1vZGUg
dG8gYXZvaWQgRE9TCgpUaGlzIHBhdGNoIGlzIGV4cGVyaW1lbnRhbC4gSW4gd29ya3MgZmlu
ZSBpbiB0aGF0IGl0IHJlbW92ZXMgdGhlIHZ1bG5lcmFiaWxpdHkKYWdhaW5zdCBhIERPUyBh
dHRhY2suIHJwYy5tb3VudGQgY2FuIGJlIGJsb2NrZWQgYnkgYSBiYWQgY2xpZW50LCB0aGF0
IHNlbmRzCm1hbnkgUlBDIHJlcXVlc3RzIGJ1dCBuZXZlciByZWFkcyB0aGUgcmVzcG9uc2Vz
LiBUaGlzIG1pZ2h0IGhhcHBlbiBpbnRlbnRpb25hbGx5Cm9yIGNhdXNlZCBieSBhIHdyb25n
IG5ldHdvcmsgY29uZmlnIChNVFUpLgpUaGUgcGF0Y2ggc3dpdGNoZXMgb24gdGhlIG5vbmJs
b2NraW5nIG1vZGUgb2YgbGlidGlycGMuIEluIHRoYXQgbW9kZSB3cml0ZXMgY2FuCmJsb2Nr
IGZvciBhIG1heC4gb2YgMiBzZWNvbmRzLiBBdHRhY2tlcnMgYXJlIGZvcmNlZCB0byBzZW5k
IHJlcXVlc3RzIHNsb3dlciwgYXMKbGlidGlycGMgd2lsbCBjbG9zZSBhIGNvbm5lY3Rpb24g
aWYgaXQgZmluZHMgdHdvIHJlcXVlc3RzIHRvIHJlYWQgYXQgdGhlIHNhbWUKdGltZS4KSSBk
byBub3Qga25vdywgd2hldGhlciBzZXR0aW5nIE1BWFJFQyBjb3VsZCBjYXVzZSB0cm91Ymxl
IGUuZy4gd2l0aCBiaWcgcmVwbGllcy4KIAoKU2lnbmVkLW9mZi1ieTogQm9kbyBTdHJvZXNz
ZXIgPGJzdHJvZXNzZXJAdHMuZnVqaXRzdS5jb20+Ci0tLQoKLS0tIG5mcy11dGlscy0xLjMu
MS9zdXBwb3J0L25mcy9zdmNfY3JlYXRlLmMJMjAxNC0xMC0wOSAxMjowOToxNS4wMDAwMDAw
MDAgKzAyMDAKKysrIG5mcy11dGlscy0xLjMuMS9zdXBwb3J0L25mcy9zdmNfY3JlYXRlLmMJ
MjAxNC0xMC0wOSAxMjoxMzozMi4wMDAwMDAwMDAgKzAyMDAKQEAgLTQ5LDYgKzQ5LDggQEAK
IAogI2lmZGVmIEhBVkVfTElCVElSUEMKIAorI2luY2x1ZGUgPHJwYy9ycGNfY29tLmg+CisK
ICNkZWZpbmUgU1ZDX0NSRUFURV9YUFJUX0NBQ0hFX1NJWkUJKDgpCiBzdGF0aWMgU1ZDWFBS
VCAqc3ZjX2NyZWF0ZV94cHJ0X2NhY2hlW1NWQ19DUkVBVEVfWFBSVF9DQUNIRV9TSVpFXSA9
IHsgTlVMTCwgfTsKIApAQCAtNDAxLDYgKzQwMyw3IEBACiAJY29uc3Qgc3RydWN0IHNpZ2Fj
dGlvbiBjcmVhdGVfc2lnYWN0aW9uID0gewogCQkuc2FfaGFuZGxlcgk9IFNJR19JR04sCiAJ
fTsKKwlpbnQgbWF4cmVjID0gUlBDX01BWERBVEFTSVpFOwogCXVuc2lnbmVkIGludCB2aXNp
YmxlLCB1cCwgc2VydnBvcnQ7CiAJc3RydWN0IG5ldGNvbmZpZyAqbmNvbmY7CiAJdm9pZCAq
aGFuZGxlcDsKQEAgLTQxMiw2ICs0MTUsMjAgQEAKIAkgKi8KIAkodm9pZClzaWdhY3Rpb24o
U0lHUElQRSwgJmNyZWF0ZV9zaWdhY3Rpb24sIE5VTEwpOwogCisJLyoKKwkgKiBTZXR0aW5n
IE1BWFJFQyBhbHNvIGVuYWJsZXMgbm9uLWJsb2NraW5nIG1vZGUgZm9yIHRjcCBjb25uZWN0
aW9ucy4KKwkgKiBUaGlzIGF2b2lkcyBET1MgYXR0YWNrcyBieSBhIGNsaWVudCBzZW5kaW5n
IG1hbnkgcmVxdWVzdHMgYnV0IG5ldmVyCisJICogcmVhZGluZyB0aGUgcmVwbHk6CisJICog
LSBpZiBhIHNlY29uZCByZXF1ZXN0IGFscmVhZHkgaXMgcHJlc2VudCBmb3IgcmVhZGluZyBp
biB0aGUgc29ja2V0LAorCSAqICAgYWZ0ZXIgdGhlIGZpcnN0IHJlcXVlc3QganVzdCB3YXMg
cmVhZCwgbGlidGlycGMgd2lsbCBicmVhayB0aGUKKwkgKiAgIGNvbm5lY3Rpb24uIFRodXMg
YW4gYXR0YWNrZXIgY2FuJ3Qgc2ltcGx5IHNlbmQgcmVxdWVzdHMgYXMgZmFzdCBhcworCSAq
ICAgaGUgY2FuIHdpdGhvdXQgd2FpdGluZyBmb3IgdGhlIHJlc3BvbnNlLgorCSAqIC0gaWYg
dGhlIHdyaXRlIGJ1ZmZlciBvZiB0aGUgc29ja2V0IGlzIGZ1bGwsIHRoZSBuZXh0IHdyaXRl
KCkgd2lsbAorCSAqICAgZmFpbCB3aXRoIEVBR0FJTi4gbGlidGlycGMgd2lsbCByZXRyeSB0
aGUgd3JpdGUgaW4gYSBsb29wIGZvciBtYXguCisJICogICAyIHNlY29uZHMuIElmIHdyaXRl
IHN0aWxsIGZhaWxzLCB0aGUgY29ubmVjdGlvbiB3aWxsIGJlIGNsb3NlZC4KKwkgKi8gICAK
KwlycGNfY29udHJvbChSUENfU1ZDX0NPTk5NQVhSRUNfU0VULCAmbWF4cmVjKTsKKwogCWhh
bmRsZXAgPSBzZXRuZXRjb25maWcoKTsKIAlpZiAoaGFuZGxlcCA9PSBOVUxMKSB7CiAJCXhs
b2coTF9FUlJPUiwgIkZhaWxlZCB0byBhY2Nlc3MgbG9jYWwgbmV0Y29uZmlnIGRhdGFiYXNl
OiAlcyIsCg==
> -----Original Message-----
> From: NeilBrown [mailto:[email protected]]
> Sent: Wednesday, November 05, 2014 11:35 PM
> To: Str?sser, Bodo
> Cc: [email protected]; [email protected]
> Subject: Re: [nfs-utils] [PATCH 3/3] rpc.mountd: set libtirpc nonblocking mode to avoid
> DOS
...
> RPC_MAXDATASIZE is 9000.
> This number is only relevant on the receive size.
> When sending, the "sendsz" passed to svc_tli_create (which default to 64K for
> TCP) is used for the 'record size'.
> When receiving, any 'record' in a tcp connection which is larger than 9000
> bytes will be rejected.
> No message to mountd or statd could ever be that large, so this number
> does not impose a problematic limit.
Thank you for this explanation. That's what I wanted to but didn't know.
Bodo
>
> As far as I can tell, this patch is safe and is a clear improvement.
>
> Reviewed-by: NeilBrown <[email protected]>
>
> Thanks,
> NeilBrown
On 05 Nov 2014 21:24:29 +0100 [email protected] wrote:
> From: Bodo Stroesser <[email protected]>
> Date: Thu, 09 Oct 2014 13:06:19 +0200
> Subject: [nfs-utils] [PATCH 3/3] rpc.mountd: set libtirpc nonblocking mode to avoid DOS
>
> This patch is experimental. In works fine in that it removes the vulnerability
> against a DOS attack. rpc.mountd can be blocked by a bad client, that sends
> many RPC requests but never reads the responses. This might happen intentionally
> or caused by a wrong network config (MTU).
> The patch switches on the nonblocking mode of libtirpc. In that mode writes can
> block for a max. of 2 seconds. Attackers are forced to send requests slower, as
> libtirpc will close a connection if it finds two requests to read at the same
> time.
> I do not know, whether setting MAXREC could cause trouble e.g. with big replies.
>
>
> Signed-off-by: Bodo Stroesser <[email protected]>
> ---
>
> --- nfs-utils-1.3.1/support/nfs/svc_create.c 2014-10-09 12:09:15.000000000 +0200
> +++ nfs-utils-1.3.1/support/nfs/svc_create.c 2014-10-09 12:13:32.000000000 +0200
> @@ -49,6 +49,8 @@
>
> #ifdef HAVE_LIBTIRPC
>
> +#include <rpc/rpc_com.h>
> +
> #define SVC_CREATE_XPRT_CACHE_SIZE (8)
> static SVCXPRT *svc_create_xprt_cache[SVC_CREATE_XPRT_CACHE_SIZE] = { NULL, };
>
> @@ -401,6 +403,7 @@
> const struct sigaction create_sigaction = {
> .sa_handler = SIG_IGN,
> };
> + int maxrec = RPC_MAXDATASIZE;
> unsigned int visible, up, servport;
> struct netconfig *nconf;
> void *handlep;
> @@ -412,6 +415,20 @@
> */
> (void)sigaction(SIGPIPE, &create_sigaction, NULL);
>
> + /*
> + * Setting MAXREC also enables non-blocking mode for tcp connections.
> + * This avoids DOS attacks by a client sending many requests but never
> + * reading the reply:
> + * - if a second request already is present for reading in the socket,
> + * after the first request just was read, libtirpc will break the
> + * connection. Thus an attacker can't simply send requests as fast as
> + * he can without waiting for the response.
> + * - if the write buffer of the socket is full, the next write() will
> + * fail with EAGAIN. libtirpc will retry the write in a loop for max.
> + * 2 seconds. If write still fails, the connection will be closed.
> + */
> + rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrec);
> +
> handlep = setnetconfig();
> if (handlep == NULL) {
> xlog(L_ERROR, "Failed to access local netconfig database: %s",
RPC_MAXDATASIZE is 9000.
This number is only relevant on the receive size.
When sending, the "sendsz" passed to svc_tli_create (which default to 64K for
TCP) is used for the 'record size'.
When receiving, any 'record' in a tcp connection which is larger than 9000
bytes will be rejected.
No message to mountd or statd could ever be that large, so this number
does not impose a problematic limit.
As far as I can tell, this patch is safe and is a clear improvement.
Reviewed-by: NeilBrown <[email protected]>
Thanks,
NeilBrown