Change the sanity test here. It's not correct to assume that the record
size we receive here should fit into the receive buffer. Unfortunately, there's no 100% foolproof way to distinguish a ridiculously large record size that a client actually meant to send us from a ridiculously large record size that was sent as a spoof attempt. The one value that we can positively identify as bogus is zero. A zero-sized record makes absolutely no sense, and sending an endless supply of zeroes will cause the server to loop forever trying to fill its receive buffer. Note that the changes made to readtcp() make it okay to revert this sanity test since the deadlock case where a client can keep the server occupied forever in the readtcp() select() loop can't happen anymore. This solution is not ideal, but is relatively easy to implement. The ideal solution would be to re-arrange the way dispatching is handled so that the select() loop in readtcp() can be eliminated, but this is difficult to implement. I do plan to implement the complete solution eventually but in the meantime I don't want to leave the RPC library totally vulnerable. That you very much Sun, may I have another.
This commit is contained in:
parent
6d5a01beb3
commit
1ce4aec2b4
@ -29,7 +29,7 @@
|
||||
#if defined(LIBC_SCCS) && !defined(lint)
|
||||
/*static char *sccsid = "from: @(#)xdr_rec.c 1.21 87/08/11 Copyr 1984 Sun Micro";*/
|
||||
/*static char *sccsid = "from: @(#)xdr_rec.c 2.2 88/08/01 4.0 RPCSRC";*/
|
||||
static char *rcsid = "$Id: xdr_rec.c,v 1.8 1997/05/28 04:57:38 wpaul Exp $";
|
||||
static char *rcsid = "$Id: xdr_rec.c,v 1.9 1998/05/15 22:57:31 wpaul Exp $";
|
||||
#endif
|
||||
|
||||
/*
|
||||
@ -552,9 +552,13 @@ set_input_fragment(rstrm)
|
||||
rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE;
|
||||
/*
|
||||
* Sanity check. Try not to accept wildly incorrect
|
||||
* record sizes.
|
||||
* record sizes. Unfortunately, the only record size
|
||||
* we can positively identify as being 'wildly incorrect'
|
||||
* is zero. Ridiculously large record sizes may look wrong,
|
||||
* but we don't have any way to be certain that they aren't
|
||||
* what the client actually intended to send us.
|
||||
*/
|
||||
if ((header & (~LAST_FRAG)) > rstrm->recvsize)
|
||||
if ((header & (~LAST_FRAG)) == 0)
|
||||
return(FALSE);
|
||||
rstrm->fbtbc = header & (~LAST_FRAG);
|
||||
return (TRUE);
|
||||
|
Loading…
Reference in New Issue
Block a user