Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 936438 Details for
Bug 1140527
CVE-2014-3637 dbus: denial of service by creating unkillable D-Bus connections
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
initial upstream patch 1
0005-config-add-new-limit-pending_fd_timeout.patch (text/plain), 5.87 KB, created by
Murray McAllister
on 2014-09-11 08:36:47 UTC
(
hide
)
Description:
initial upstream patch 1
Filename:
MIME Type:
Creator:
Murray McAllister
Created:
2014-09-11 08:36:47 UTC
Size:
5.87 KB
patch
obsolete
>From 110bc05ab6782caf425929f8c69ee8604bc38e73 Mon Sep 17 00:00:00 2001 >From: Alban Crequy <alban.crequy@collabora.co.uk> >Date: Mon, 21 Jul 2014 17:34:08 +0100 >Subject: [PATCH 05/11] config: add new limit: pending_fd_timeout > >When a file descriptor is passed to dbus-daemon, the associated D-Bus message >might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file >descriptor in the DBusMessageLoader of the connection, waiting for the rest of >the message. If the client stops sending the remaining bytes, dbus-daemon will >wait forever and keep that file descriptor. > >This patch adds pending_fd_timeout (milliseconds) in the configuration to >disconnect a connection after a timeout when a file descriptor was sent but not >the remaining message. > >Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 >Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> >--- > bus/bus.c | 6 ++++++ > bus/bus.h | 2 ++ > bus/config-parser.c | 12 ++++++++++++ > bus/session.conf.in | 1 + > doc/dbus-daemon.1.xml.in | 4 ++++ > 5 files changed, 25 insertions(+) > >diff --git a/bus/bus.c b/bus/bus.c >index a3dce24..35d4075 100644 >--- a/bus/bus.c >+++ b/bus/bus.c >@@ -1241,6 +1241,12 @@ bus_context_get_auth_timeout (BusContext *context) > } > > int >+bus_context_get_pending_fd_timeout (BusContext *context) >+{ >+ return context->limits.pending_fd_timeout; >+} >+ >+int > bus_context_get_max_completed_connections (BusContext *context) > { > return context->limits.max_completed_connections; >diff --git a/bus/bus.h b/bus/bus.h >index 400c9d0..7d0b369 100644 >--- a/bus/bus.h >+++ b/bus/bus.h >@@ -54,6 +54,7 @@ typedef struct > long max_message_unix_fds; /**< Max number of unix fds of a single message*/ > int activation_timeout; /**< How long to wait for an activation to time out */ > int auth_timeout; /**< How long to wait for an authentication to time out */ >+ int pending_fd_timeout; /**< How long to wait for a D-Bus message with a fd to time out */ > int max_completed_connections; /**< Max number of authorized connections */ > int max_incomplete_connections; /**< Max number of incomplete connections */ > int max_connections_per_user; /**< Max number of connections auth'd as same user */ >@@ -106,6 +107,7 @@ BusClientPolicy* bus_context_create_client_policy (BusContext > DBusError *error); > int bus_context_get_activation_timeout (BusContext *context); > int bus_context_get_auth_timeout (BusContext *context); >+int bus_context_get_pending_fd_timeout (BusContext *context); > int bus_context_get_max_completed_connections (BusContext *context); > int bus_context_get_max_incomplete_connections (BusContext *context); > int bus_context_get_max_connections_per_user (BusContext *context); >diff --git a/bus/config-parser.c b/bus/config-parser.c >index 814725a..7bc9c01 100644 >--- a/bus/config-parser.c >+++ b/bus/config-parser.c >@@ -439,6 +439,11 @@ bus_config_parser_new (const DBusString *basedir, > * password) is allowed, then potentially it has to be quite long. > */ > parser->limits.auth_timeout = 5000; /* 5 seconds */ >+ >+ /* Do not allow a fd to stay forever in dbus-daemon >+ * https://bugs.freedesktop.org/show_bug.cgi?id=80559 >+ */ >+ parser->limits.pending_fd_timeout = 150000; /* 2.5 minutes */ > > parser->limits.max_incomplete_connections = 64; > parser->limits.max_connections_per_user = 256; >@@ -1902,6 +1907,12 @@ set_limit (BusConfigParser *parser, > must_be_int = TRUE; > parser->limits.auth_timeout = value; > } >+ else if (strcmp (name, "pending_fd_timeout") == 0) >+ { >+ must_be_positive = TRUE; >+ must_be_int = TRUE; >+ parser->limits.pending_fd_timeout = value; >+ } > else if (strcmp (name, "reply_timeout") == 0) > { > must_be_positive = TRUE; >@@ -3108,6 +3119,7 @@ limits_equal (const BusLimits *a, > || a->max_message_unix_fds == b->max_message_unix_fds > || a->activation_timeout == b->activation_timeout > || a->auth_timeout == b->auth_timeout >+ || a->pending_fd_timeout == b->pending_fd_timeout > || a->max_completed_connections == b->max_completed_connections > || a->max_incomplete_connections == b->max_incomplete_connections > || a->max_connections_per_user == b->max_connections_per_user >diff --git a/bus/session.conf.in b/bus/session.conf.in >index 74d9d1f..910e617 100644 >--- a/bus/session.conf.in >+++ b/bus/session.conf.in >@@ -52,6 +52,7 @@ > <limit name="max_message_unix_fds">@DEFAULT_MESSAGE_UNIX_FDS@</limit> > <limit name="service_start_timeout">120000</limit> > <limit name="auth_timeout">240000</limit> >+ <limit name="pending_fd_timeout">150000</limit> > <limit name="max_completed_connections">100000</limit> > <limit name="max_incomplete_connections">10000</limit> > <limit name="max_connections_per_user">100000</limit> >diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in >index 7b7f4a1..cd7942c 100644 >--- a/doc/dbus-daemon.1.xml.in >+++ b/doc/dbus-daemon.1.xml.in >@@ -528,6 +528,10 @@ Available limit names are:</para> > "auth_timeout" : milliseconds (thousandths) a > connection is given to > authenticate >+ "pending_fd_timeout" : milliseconds (thousandths) a >+ fd is given to be transmitted to >+ dbus-daemon before disconnecting the >+ connection > "max_completed_connections" : max number of authenticated connections > "max_incomplete_connections" : max number of unauthenticated > connections >-- >2.1.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=936438">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1140527
: 936438 |
936439
|
936441
|
936442