Commit Graph

10 Commits

Author SHA1 Message Date
Bill Paul
1ce4aec2b4 Change the sanity test here. It's not correct to assume that the record
size we receive here should fit into the receive buffer. Unfortunately,
there's no 100% foolproof way to distinguish a ridiculously large record
size that a client actually meant to send us from a ridiculously large
record size that was sent as a spoof attempt.

The one value that we can positively identify as bogus is zero. A
zero-sized record makes absolutely no sense, and sending an endless
supply of zeroes will cause the server to loop forever trying to
fill its receive buffer.

Note that the changes made to readtcp() make it okay to revert this
sanity test since the deadlock case where a client can keep the server
occupied forever in the readtcp() select() loop can't happen anymore.
This solution is not ideal, but is relatively easy to implement. The
ideal solution would be to re-arrange the way dispatching is handled
so that the select() loop in readtcp() can be eliminated, but this is
difficult to implement. I do plan to implement the complete solution
eventually but in the meantime I don't want to leave the RPC library
totally vulnerable.

That you very much Sun, may I have another.
1998-05-20 15:56:11 +00:00
Bill Paul
a9352e90f0 Patch RPC library to avoid possible denial of service attacks as described
recently in BUGTRAQ. The set_input_fragment() routine in the XDR record
marking code blindly trusts that the first two bytes it sees will in fact
be an actual record header and that the specified size will be sane. In
fact, if you just telnet to a listening port of an RPC service and send a
few carriage returns, set_input_fragment() will obtain a ridiculously large
record size and sit there for a long time trying to read from the network.

A sanity test is required: if the record size is larger than the receive
buffer, punt.
1998-05-15 22:57:31 +00:00
Bill Paul
58041b5396 Resolve conflicts. 1997-05-28 04:57:39 +00:00
Peter Wemm
7e546392b5 Revert $FreeBSD$ to $Id$ 1997-02-22 15:12:41 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Peter Wemm
1ad08a09e9 - Missing prototypes, including pointers to functions
- 64 bit long type safe (wire protocols specified in explicit sized types)
- Support systems that don't do unaligned accesses
- Support for explicit int16 and int32 sizes in xdr

Obtained from: a diff of FreeBSD vs. OpenBSD/NetBSD rpc code.
1996-12-30 14:07:11 +00:00
Poul-Henning Kamp
29285d6cc5 minor cleanup, #includes. 1995-10-22 14:53:58 +00:00
Rodney W. Grimes
6c06b4e2aa Remove trailing whitespace. 1995-05-30 05:51:47 +00:00
Garrett Wollman
46cc41a1d8 More directory cleanup after YP merge. 1994-08-07 22:21:14 +00:00
Garrett Wollman
eae561b30e Moving RPC stuff into libc, part 2. 1994-08-07 18:39:35 +00:00