Hi, I'm running a RH6.2 Linux box called ``bunker'' with </etc/inetd.conf excerpt> ... time stream tcp nowait root internal ... bunker is used by other hosts on the LAN to get a correct time with rdate (Solaris and Linux rdate clients running ``rdate bunker'' in a cron). Looking at open files (with /usr/sbin/lsof) you can see a new entry at each connection of a client. inetd 3163 root 11u IPv4 403354 TCP bunker.izinet.au:time->bonnie.izinet.au:1697 (CLOSE_WAIT) After some time the table of open files is full and other applications stop working properly (syslog, cvs server (connection reset by server: too many open files) resulting in typical denial of service attack possibility. Reproduce it by running on the server: watch "/usr/sbin/lsof |grep time |wc -l" and on a client while true; do rdate bunker; done [As a fix I thought that the socket should close itself when the client calls close() or when the client process exits. This does not happen and it seems there's no timeout on server side socket open in TCP_WAIT state.]
Submitted a CERT vulnerability report
*** This bug has been marked as a duplicate of 14876 ***