Change the sanity test here. It's not correct to assume that the record

size we receive here should fit into the receive buffer. Unfortunately,
there's no 100% foolproof way to distinguish a ridiculously large record
size that a client actually meant to send us from a ridiculously large
record size that was sent as a spoof attempt.

The one value that we can positively identify as bogus is zero. A
zero-sized record makes absolutely no sense, and sending an endless
supply of zeroes will cause the server to loop forever trying to
fill its receive buffer.

Note that the changes made to readtcp() make it okay to revert this
sanity test since the deadlock case where a client can keep the server
occupied forever in the readtcp() select() loop can't happen anymore.
This solution is not ideal, but is relatively easy to implement. The
ideal solution would be to re-arrange the way dispatching is handled
so that the select() loop in readtcp() can be eliminated, but this is
difficult to implement. I do plan to implement the complete solution
eventually but in the meantime I don't want to leave the RPC library
totally vulnerable.

That you very much Sun, may I have another.
This commit is contained in:
Bill Paul 1998-05-20 15:56:11 +00:00
parent 6d5a01beb3
commit 1ce4aec2b4

View File

@ -29,7 +29,7 @@
#if defined(LIBC_SCCS) && !defined(lint) #if defined(LIBC_SCCS) && !defined(lint)
/*static char *sccsid = "from: @(#)xdr_rec.c 1.21 87/08/11 Copyr 1984 Sun Micro";*/ /*static char *sccsid = "from: @(#)xdr_rec.c 1.21 87/08/11 Copyr 1984 Sun Micro";*/
/*static char *sccsid = "from: @(#)xdr_rec.c 2.2 88/08/01 4.0 RPCSRC";*/ /*static char *sccsid = "from: @(#)xdr_rec.c 2.2 88/08/01 4.0 RPCSRC";*/
static char *rcsid = "$Id: xdr_rec.c,v 1.8 1997/05/28 04:57:38 wpaul Exp $"; static char *rcsid = "$Id: xdr_rec.c,v 1.9 1998/05/15 22:57:31 wpaul Exp $";
#endif #endif
/* /*
@ -552,9 +552,13 @@ set_input_fragment(rstrm)
rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE; rstrm->last_frag = ((header & LAST_FRAG) == 0) ? FALSE : TRUE;
/* /*
* Sanity check. Try not to accept wildly incorrect * Sanity check. Try not to accept wildly incorrect
* record sizes. * record sizes. Unfortunately, the only record size
* we can positively identify as being 'wildly incorrect'
* is zero. Ridiculously large record sizes may look wrong,
* but we don't have any way to be certain that they aren't
* what the client actually intended to send us.
*/ */
if ((header & (~LAST_FRAG)) > rstrm->recvsize) if ((header & (~LAST_FRAG)) == 0)
return(FALSE); return(FALSE);
rstrm->fbtbc = header & (~LAST_FRAG); rstrm->fbtbc = header & (~LAST_FRAG);
return (TRUE); return (TRUE);