This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

DoS in RPC implementation (CVE-2011-4069)

From: Aurelien Jarno <aurelien at aurel32 dot net>
To: libc-alpha at sourceware dot org
Date: Sat, 2 Jun 2012 22:19:12 +0200
Subject: DoS in RPC implementation (CVE-2011-4069)

I have been informed that Debian eglibc is vulnerable to CVE-2011-4069,
a DoS in RPC implementation. I have been provided the following patch,
originating from Red Hat [1] and Ubuntu [2].

Instead of having this patch in every distribution, it might be a good
idea to merge that directly upstream. Unfortunately I don't know who to
give the credit to, so I don't know how to write the changelog in that
case.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=767299
[2] https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716


Index: b/sunrpc/svc_tcp.c
===================================================================
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
 #include <sys/poll.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -243,6 +244,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*
Index: b/sunrpc/svc_udp.c
===================================================================
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef IP_PKTINFO
 #include <sys/uio.h>
@@ -272,8 +273,16 @@ again:
 		       (int) su->su_iosz, 0,
 		       (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+        goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
+    }
   if (rlen < 16)		/* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
Index: b/sunrpc/svc_unix.c
===================================================================
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -46,6 +46,7 @@
 #include <errno.h>
 #include <stdlib.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -245,6 +246,11 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Follow-Ups:
- Re: DoS in RPC implementation (CVE-2011-4069)
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]