mirror of
https://git.centos.org/rpms/389-ds-base.git
synced 2025-02-24 00:32:54 +00:00
46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
From 4383a6cb666bc79feb9ca0ee62dda0520955d286 Mon Sep 17 00:00:00 2001
|
|
From: Thierry Bordaz <tbordaz@redhat.com>
|
|
Date: Wed, 15 May 2019 17:46:14 +0200
|
|
Subject: [PATCH] Ticket 50329 - (2nd) Possible Security Issue: DOS due to
|
|
ioblocktimeout not applying to TLS
|
|
|
|
Bug Description:
|
|
A secure socket is configured in blocking mode. If an event
|
|
is detected on a secure socket a worker tries to receive the request.
|
|
If handshake occurs during the read, it can hang longer than
|
|
ioblocktimeout because it takes into account the socket option
|
|
rather than the timeout used for the ssl_Recv
|
|
|
|
Fix Description:
|
|
The fix is specific to secure socket and set this socket option
|
|
to do non blocking IO.
|
|
|
|
https://pagure.io/389-ds-base/issue/50329
|
|
|
|
Reviewed by: ?
|
|
|
|
Platforms tested: F28, RHEL7.6
|
|
|
|
Flag Day: no
|
|
|
|
Doc impact: no
|
|
---
|
|
ldap/servers/slapd/daemon.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
|
|
index c77e1f15c..b1d41c858 100644
|
|
--- a/ldap/servers/slapd/daemon.c
|
|
+++ b/ldap/servers/slapd/daemon.c
|
|
@@ -3191,7 +3191,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)
|
|
|
|
if (secure) {
|
|
pr_socketoption.option = PR_SockOpt_Nonblocking;
|
|
- pr_socketoption.value.non_blocking = 0;
|
|
+ pr_socketoption.value.non_blocking = 1;
|
|
if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {
|
|
PRErrorCode prerr = PR_GetError();
|
|
slapi_log_err(SLAPI_LOG_ERR,
|
|
--
|
|
2.21.0
|
|
|