Date: Wed, 20 May 1998 08:56:12 -0700 (PDT) From: Bill Paul <wpaul@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-lib@FreeBSD.ORG Subject: cvs commit: src/lib/libc/xdr xdr_rec.c Message-ID: <199805201556.IAA15643@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
wpaul 1998/05/20 08:56:11 PDT
Modified files:
lib/libc/xdr xdr_rec.c
Log:
Change the sanity test here. It's not correct to assume that the record
size we receive here should fit into the receive buffer. Unfortunately,
there's no 100% foolproof way to distinguish a ridiculously large record
size that a client actually meant to send us from a ridiculously large
record size that was sent as a spoof attempt.
The one value that we can positively identify as bogus is zero. A
zero-sized record makes absolutely no sense, and sending an endless
supply of zeroes will cause the server to loop forever trying to
fill its receive buffer.
Note that the changes made to readtcp() make it okay to revert this
sanity test since the deadlock case where a client can keep the server
occupied forever in the readtcp() select() loop can't happen anymore.
This solution is not ideal, but is relatively easy to implement. The
ideal solution would be to re-arrange the way dispatching is handled
so that the select() loop in readtcp() can be eliminated, but this is
difficult to implement. I do plan to implement the complete solution
eventually but in the meantime I don't want to leave the RPC library
totally vulnerable.
That you very much Sun, may I have another.
Revision Changes Path
1.10 +7 -3 src/lib/libc/xdr/xdr_rec.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805201556.IAA15643>