| Summary: | tcp_wrapper related daemons eat 100% CPU when a line of hosts.allow is exceeds 2048byte | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | antihong | ||||||||
| Component: | tcp_wrappers | Assignee: | Petr Lautrbach <plautrba> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 5.3 | CC: | jlieskov, rmcswain | ||||||||
| Target Milestone: | rc | Keywords: | Patch | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 731350 1995483 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2013-10-07 01:45:13 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 731350, 1002709, 1995483 | ||||||||||
| Attachments: |
|
||||||||||
correction. 3. try to connect the ssh to this server from 3.3.3.3 that is allowed at hosts.allow ==> 3. try to connect the ssh to this server from 5.6.7.8 that is allowed at hosts.allow can you please contact RH support? Do you mean this is not bug? thanks. (In reply to comment #3) > Do you mean this is not bug? > > thanks. this is the bug, of course, but connect the support please. but I don't know how to do it. Could you do it instead of me? thanks. I cannot to do it, Only I can do to repair the bug in fedora (now it is repaired in rawhide). I see.. then, could you please share the link you said(rawhide in fedora)? thanks. The bug should be repaired in tcp_wrappers-7.6-68.fc17 - http://koji.fedoraproject.org/koji/buildinfo?buildID=258818 This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Created attachment 593569 [details] Patch from Fedora http://pkgs.fedoraproject.org/gitweb/?p=tcp_wrappers.git;a=blob;f=tcp_wrappers-7.6-xgets.patch;h=2c7d81fade76fc60e72b61038d03653907badd08;hb=2a8f5527b295178db0f09d082986c286cba908c0 (In reply to comment #0) The suggested workaround to avoid the excessive CPU use is to split such long row / entry into multiple lines / rules for the particular service. > Steps to Reproduce: > 1. add the lots of ip lists(over 2048 byte, aorund 160 ip lists?) at a line > such as like below, for example, snmpd. > > /etc/hosts.allow > snmpd: 1.1.1.1, 2.2.2.2, 3.3.3.3............ like: snmpd: 1.1.1.1 .. 10.10.10.10 (example with ten IPs per row) snmpd: 11.11.11.11 .. 20.20.20.20 .. snmpd: 151.151.151.151 .. 160.160.160.160 (the required count if IP's needed respectively) > sshd : 5.6.7.8 > > 2. add the deny all connections. > /etc/hosts.deny > sshd : All > Created attachment 596063 [details] Patch from CentOS http://bugs.centos.org/view.php?id=5667 This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 5, and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification. |
Created attachment 516268 [details] "ps" result that sshd goes infine loop.. Description of problem: If I set lots of IP lists(over 2048byte) at a line of /etc/hosts.allow, some programs that call the tcp_wrapper() such as ssh, snmpd,ldap, vsftpd, etc. eats 100% CPU when there was any request from outside. in case of ssh, can't connect even the IP was allowed from /etc/hosts.allow. Version-Release number of selected component (if applicable): tcp_wrappers-7.6-40.7.el5 How reproducible: very simple. just adding the lots if IP lists(around 160?) at a line. you can check the size of the IP lists using Ctrl+G at the end of lists in vi mode. Steps to Reproduce: 1. add the lots of ip lists(over 2048 byte, aorund 160 ip lists?) at a line such as like below, for example, snmpd. /etc/hosts.allow snmpd: 1.1.1.1, 2.2.2.2, 3.3.3.3............ sshd : 5.6.7.8 2. add the deny all connections. /etc/hosts.deny sshd : All 3. try to connect the ssh to this server from 3.3.3.3 that is allowed at hosts.allow. Actual results: sshd process eats 100% CPU and client can't connect. this is "ps aux" result. -------------------------------------------------------------------------- USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 27528 91.6 0.0 64824 2740 ? Rs 16:33 0:05 sshd: [accepted] ---------------------------------------------------------------------------- Expected results: Additional info: the sequence is important. the exceeded line(snmpd for example) should be above than the actual service(sshd). it's because of "xgets()" related issue and this causes infine loop.