Bug 845821 - -milterfdleaks patch causes endless, high frequent log storm
Summary: -milterfdleaks patch causes endless, high frequent log storm
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sendmail
Version: 6.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jaroslav Škarvada
QA Contact: Alois Mahdal
Depends On:
TreeView+ depends on / blocked
Reported: 2012-08-05 11:21 UTC by Enrico Scholz
Modified: 2015-07-22 06:24 UTC (History)
5 users (show)

Fixed In Version: sendmail-8.14.4-9.el6
Doc Type: Bug Fix
Doc Text:
Under certain circumstances, sendmail previously recorded a very large number of log messages that reported failures to set the close-on-exec flag. The Milter implementation has been modified to perform socket validation before the fnctl() function attempts to set close-on-exec. As a result, fnctl() is no longer called on invalid sockets, and the described log messages no longer occur.
Clone Of:
Last Closed: 2015-07-22 06:24:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Proposed fix (2.13 KB, patch)
2012-08-06 07:26 UTC, Jaroslav Škarvada
no flags Details | Diff
Patch against 8.14.6 (Rawhide) (2.42 KB, patch)
2013-02-07 10:26 UTC, Paul Howarth
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1299 0 normal SHIPPED_LIVE sendmail bug fix update 2015-07-20 17:53:56 UTC

Description Enrico Scholz 2012-08-05 11:21:25 UTC
Description of problem:

One of my systems created endless, high frequent log messages (up to
6000 messages per second) like

| Aug  4 08:08:53 ... Unable to set close-on-exec on connfd (Bad file descriptor)
| Aug  4 08:08:53 ... Unable to set close-on-exec on connfd (Bad file descriptor)

This is caused by sendmail-8.14.3-milterfdleaks.patch which uses
'connfd' without validating it:

|       connfd = accept(listenfd, (struct sockaddr *) &cliaddr,
|                       &clilen);
|  ...
| +     if ((fdflags = fcntl(connfd, F_GETFD, 0)) == -1 ||
| +         fcntl(connfd, F_SETFD, fdflags | FD_CLOEXEC) == -1)
| +     {
| +             smi_log(SMI_LOG_WARN,
| +                     "%s: Unable to set close-on-exec on connfd (%s)",
| +                     smfi->xxfi_name, sm_errstring(errno));

There is an (unknown) underlying problem which is unrelated to this
patch.  But the fcntl() operations should not be executed before
validating 'connfd'.  Handling of bad 'connfd' descriptor is done
later in the milter code so that no further actions should be done in
this case by the patch.

Version-Release number of selected component (if applicable):


Comment 2 Jaroslav Škarvada 2012-08-06 07:26:34 UTC
Created attachment 602450 [details]
Proposed fix

The problem seems to be elsewhere, but we could fix it.

Comment 3 RHEL Program Management 2012-09-07 05:11:13 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 4 Paul Howarth 2013-02-07 10:26:25 UTC
Created attachment 694372 [details]
Patch against 8.14.6 (Rawhide)

Proposed patch looks sane. Here's the patch I'm using in my local build for 8.14.6 (almost identical to the Rawhide package) on Fedora 18 for the last week or so. Haven't seen any problems with it.

Comment 10 Alois Mahdal 2015-04-15 08:27:59 UTC
Patch reviewed by QA and confirmed to fix issue on customer side. Sanity and regression suite ran on all archs.


Comment 12 errata-xmlrpc 2015-07-22 06:24:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.