Bug 77724
Summary: | xinetd connections to tftpd denied by tcpwrappers cause problems | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | David Mathog <mathog> |
Component: | xinetd | Assignee: | Jay Fenlason <fenlason> |
Status: | CLOSED ERRATA | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 7.3 | CC: | jfeeney, k.georgiou, stephan.guilloux |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | athlon | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-10-02 11:33:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Mathog
2002-11-12 16:59:39 UTC
I second that; this morning I found multimegabytes of log entries in /var/log/secure and /var/log/messages on one of our cluster frontends, apparently resulting from a single connection from somewhere i Russia. This is reproducible; any tftp connection attempt from a nonallowed address throws xinetd into a forking loop. An errata for xinetd (to version 2.3.11) is in progress. An erratum for xinetd taking it to version 2.3.11 is available http://rhn.redhat.com/errata/RHSA-2003-161.html Does this fix this issue? The 2.3.11 update does NOT fix the issue.
And how hard would it have been for Redhat to test this???
It took all of 10 seconds to install the rpm
and then from a forbidden machine (blocked by /etc/hosts.allow)
do:
% tftp linuxbox
>tftp get /tmp/foobar
(a file which doesn't exist)
and then tail linuxbox's /var/log/messages:
May 30 09:36:25 linuxbox xinetd[32052]: xinetd Version 2.3.11 started with
libwrap loadavg options compiled in.
May 30 09:36:25 linuxbox xinetd[32052]: Started working: 4 available services
May 30 09:36:28 linuxbox xinetd: xinetd startup succeeded
May 30 09:37:27 linuxbox xinetd[32052]: Deactivating service tftp due to
excessive incoming connections. Restarting in 5 seconds.
May 30 09:37:32 linuxbox xinetd[32052]: Activating service tftp
May 30 09:37:37 linuxbox xinetd[32052]: Deactivating service tftp due to
excessive incoming connections. Restarting in 5
May 30 09:37:42 linuxbox xinetd[32052]: Activating service tftp
May be this may help. Problem is that for every over-UDP-protocols, xinetd uses something like recvfrom(..., MSG_PEEK, ...) In this case, the frame is never removed from the socket queue. The child checks in /etc/hosts for allowed hosts to use TFTP, and die but the frame is not removed from the UDP socket queue. Then the select() find the TFTP frame and loops then forever. One solution would be like a recvfrom(..., 0, ...) just before child death in case of error in libwrap. Note: plateform field should be 'all', not only 'athlon'. xinetd-2.3.12 appears to address this issue, after the upstream maintainers spent a long time discussing possible solutions on the mailing list. I don't think the xinetd-2.3.12-1.10.0 RPM in Raw Hide will work on a Red Hat Linux 7.3 system, but you can download the SRPM and do a rpmbuild --rebuild on it. Let me know if it solves the problem for you. |