Bug 727445 - tcp_wrapper related daemons eat 100% CPU when a line of hosts.allow is exceeds 2048byte
tcp_wrapper related daemons eat 100% CPU when a line of hosts.allow is exceed...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: tcp_wrappers (Show other bugs)
5.3
All Linux
medium Severity high
: rc
: ---
Assigned To: Petr Lautrbach
qe-baseos-daemons
: Patch
Depends On:
Blocks: 1002709 731350
  Show dependency treegraph
 
Reported: 2011-08-02 03:46 EDT by antihong
Modified: 2013-10-06 21:45 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 731350 (view as bug list)
Environment:
Last Closed: 2013-10-06 21:45:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
"ps" result that sshd goes infine loop.. (12.96 KB, image/jpeg)
2011-08-02 03:46 EDT, antihong
no flags Details
Patch from Fedora (440 bytes, patch)
2012-06-21 15:30 EDT, Bryan Mason
no flags Details | Diff
Patch from CentOS (1.22 KB, patch)
2012-07-03 14:13 EDT, Bryan Mason
no flags Details | Diff

  None (edit)
Description antihong 2011-08-02 03:46:26 EDT
Created attachment 516268 [details]
"ps" result that sshd goes infine loop..

Description of problem:
If I set lots of IP lists(over 2048byte) at a line of /etc/hosts.allow, 
some programs that call the tcp_wrapper() such as ssh, snmpd,ldap, vsftpd, etc. eats 100% CPU when there was any request from outside. 
in case of ssh, can't connect even the IP was allowed from /etc/hosts.allow. 

Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-40.7.el5

How reproducible:
very simple. just adding the lots if IP lists(around 160?) at a line.
you can check the size of the IP lists using Ctrl+G at the end of lists in vi mode.  


Steps to Reproduce:
1. add the lots of ip lists(over 2048 byte, aorund 160 ip lists?) at a line such as like below, for example, snmpd. 

/etc/hosts.allow 
snmpd: 1.1.1.1, 2.2.2.2, 3.3.3.3............
sshd : 5.6.7.8

2. add the deny all connections. 
/etc/hosts.deny 
sshd : All 

3. try to connect the ssh to this server from 3.3.3.3 that is allowed at hosts.allow. 
  
Actual results:
sshd process eats 100% CPU and client can't connect. 
this is "ps aux" result. 
--------------------------------------------------------------------------
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     27528 91.6  0.0   64824  2740 ?        Rs   16:33   0:05 sshd:
[accepted]
----------------------------------------------------------------------------

Expected results:


Additional info:
the sequence is important.
the exceeded line(snmpd for example) should be above than the actual service(sshd).

it's because of "xgets()" related issue and this causes infine loop.
Comment 1 antihong 2011-08-02 03:48:25 EDT
correction.

3. try to connect the ssh to this server from 3.3.3.3 that is allowed at
hosts.allow
==>  
3. try to connect the ssh to this server from 5.6.7.8 that is allowed at
hosts.allow
Comment 2 Jan F. Chadima 2011-08-11 15:48:46 EDT
can you please contact RH support?
Comment 3 antihong 2011-08-11 19:05:30 EDT
Do you mean this is not bug?

thanks.
Comment 4 Jan F. Chadima 2011-08-15 02:48:43 EDT
(In reply to comment #3)
> Do you mean this is not bug?
> 
> thanks.

this is the bug, of course, but connect the support please.
Comment 5 antihong 2011-08-15 05:27:48 EDT
but I don't know how to do it.
Could you do it instead of me?

thanks.
Comment 6 Jan F. Chadima 2011-08-17 07:55:07 EDT
I cannot to do it, Only I can do to repair the bug in fedora (now it is repaired in rawhide).
Comment 7 antihong 2011-08-17 19:31:07 EDT
I see..

then, could you please share the link you said(rawhide in fedora)?

thanks.
Comment 8 Petr Lautrbach 2012-03-13 11:11:47 EDT
The bug should be repaired in tcp_wrappers-7.6-68.fc17 -  http://koji.fedoraproject.org/koji/buildinfo?buildID=258818
Comment 9 RHEL Product and Program Management 2012-06-11 21:07:59 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 13 Jan Lieskovsky 2012-06-22 10:56:50 EDT
(In reply to comment #0)

The suggested workaround to avoid the excessive CPU use is to split such long row / entry into multiple lines / rules for the particular service.

> Steps to Reproduce:
> 1. add the lots of ip lists(over 2048 byte, aorund 160 ip lists?) at a line
> such as like below, for example, snmpd. 
> 
> /etc/hosts.allow 
> snmpd: 1.1.1.1, 2.2.2.2, 3.3.3.3............

like:

  snmpd: 1.1.1.1          ..      10.10.10.10 (example with ten IPs per row)
  snmpd: 11.11.11.11      ..      20.20.20.20 
                          ..
  snmpd: 151.151.151.151  ..     160.160.160.160 (the required count if IP's
                                                  needed respectively)

> sshd : 5.6.7.8
> 
> 2. add the deny all connections. 
> /etc/hosts.deny 
> sshd : All 
>
Comment 15 Bryan Mason 2012-07-03 14:13:56 EDT
Created attachment 596063 [details]
Patch from CentOS

http://bugs.centos.org/view.php?id=5667
Comment 18 RHEL Product and Program Management 2013-05-01 02:44:45 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 20 Andrius Benokraitis 2013-10-06 21:45:13 EDT
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 5, and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification.

Note You need to log in before you can comment on or make changes to this bug.