Bug 1301581
| Summary: | Back port of bz 1163891 required as rpc.mountd can be blocked by a bad client | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Rinku <rkothiya> | |
| Component: | nfs-utils | Assignee: | Steve Dickson <steved> | |
| Status: | CLOSED ERRATA | QA Contact: | Yongcheng Yang <yoyang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.7 | CC: | cww, djeffery, dwysocha, eguan, fs-qe, mkolaja, ngalvin, sbhat, steved, yoyang | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | nfs-utils-1.2.3-71.el6 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1350702 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-21 11:23:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1269194, 1350702 | |||
|
Comment 6
Yongcheng Yang
2016-04-19 02:23:39 UTC
I'm not sure about a hotfix for this bug. The first patch header states it is 'experimental'. Are we sure these 3 patches won't have side-effects? I have not reviewed the 3 patches carefully in detail.
Might be more appropriate for a Z-stream. SteveD - what do you think - should these be safe or do we need some QE before releasing?
commit e4569a0961ff9f059b9ae71327d291cf95399597
Author: Bodo Stroesser <bstroesser.com>
Date: Wed Nov 12 09:43:29 2014 -0500
rpc.mountd: set libtirpc nonblocking mode to avoid DOS
This patch is experimental. In works fine in that it removes the
vulnerability against a DOS attack. rpc.mountd can be blocked by
a bad client, that sends many RPC requests but never reads the
responses. This might happen intentionally or caused by a wrong
network config (MTU). The patch switches on the nonblocking
mode of libtirpc. In that mode writes can block for a max of 2 seconds.
Attackers are forced to send requests slower, as libtirpc will close
a connection if it finds two requests to read at the same time.
Reviewed-by: NeilBrown <neilb>
Signed-off-by: Bodo Stroesser <bstroesser.com>
Signed-off-by: Steve Dickson <steved>
(In reply to Dave Wysochanski from comment #11) > I'm not sure about a hotfix for this bug. The first patch header states it > is 'experimental'. Are we sure these 3 patches won't have side-effects? I > have not reviewed the 3 patches carefully in detail. > > Might be more appropriate for a Z-stream. SteveD - what do you think - > should these be safe or do we need some QE before releasing? > > commit e4569a0961ff9f059b9ae71327d291cf95399597 > Author: Bodo Stroesser <bstroesser.com> > Date: Wed Nov 12 09:43:29 2014 -0500 > > rpc.mountd: set libtirpc nonblocking mode to avoid DOS > Its been in place for a number of years and its in RHEL 7 so I'm thinking the three are fairly stable. I agree with going through the Z-stream process allowing QE to do some testing... Moving to VERIFIED according to test logs of Comment #15. Also include this automatic case as regression test in the future. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0741.html |