Bug 845821 - -milterfdleaks patch causes endless, high frequent log storm
-milterfdleaks patch causes endless, high frequent log storm
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sendmail (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jaroslav Škarvada
Alois Mahdal
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-05 07:21 EDT by Enrico Scholz
Modified: 2015-07-22 02:24 EDT (History)
5 users (show)

See Also:
Fixed In Version: sendmail-8.14.4-9.el6
Doc Type: Bug Fix
Doc Text:
Under certain circumstances, sendmail previously recorded a very large number of log messages that reported failures to set the close-on-exec flag. The Milter implementation has been modified to perform socket validation before the fnctl() function attempts to set close-on-exec. As a result, fnctl() is no longer called on invalid sockets, and the described log messages no longer occur.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-22 02:24:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed fix (2.13 KB, patch)
2012-08-06 03:26 EDT, Jaroslav Škarvada
no flags Details | Diff
Patch against 8.14.6 (Rawhide) (2.42 KB, patch)
2013-02-07 05:26 EST, Paul Howarth
no flags Details | Diff

  None (edit)
Description Enrico Scholz 2012-08-05 07:21:25 EDT
Description of problem:

One of my systems created endless, high frequent log messages (up to
6000 messages per second) like

| Aug  4 08:08:53 ... Unable to set close-on-exec on connfd (Bad file descriptor)
| Aug  4 08:08:53 ... Unable to set close-on-exec on connfd (Bad file descriptor)

This is caused by sendmail-8.14.3-milterfdleaks.patch which uses
'connfd' without validating it:

|       connfd = accept(listenfd, (struct sockaddr *) &cliaddr,
|                       &clilen);
|  ...
| +     if ((fdflags = fcntl(connfd, F_GETFD, 0)) == -1 ||
| +         fcntl(connfd, F_SETFD, fdflags | FD_CLOEXEC) == -1)
| +     {
| +             smi_log(SMI_LOG_WARN,
| +                     "%s: Unable to set close-on-exec on connfd (%s)",
| +                     smfi->xxfi_name, sm_errstring(errno));


There is an (unknown) underlying problem which is unrelated to this
patch.  But the fcntl() operations should not be executed before
validating 'connfd'.  Handling of bad 'connfd' descriptor is done
later in the milter code so that no further actions should be done in
this case by the patch.


Version-Release number of selected component (if applicable):

sendmail-8.14.4-8.el6.x86_64
Comment 2 Jaroslav Škarvada 2012-08-06 03:26:34 EDT
Created attachment 602450 [details]
Proposed fix

The problem seems to be elsewhere, but we could fix it.
Comment 3 RHEL Product and Program Management 2012-09-07 01:11:13 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Paul Howarth 2013-02-07 05:26:25 EST
Created attachment 694372 [details]
Patch against 8.14.6 (Rawhide)

Proposed patch looks sane. Here's the patch I'm using in my local build for 8.14.6 (almost identical to the Rawhide package) on Fedora 18 for the last week or so. Haven't seen any problems with it.
Comment 10 Alois Mahdal 2015-04-15 04:27:59 EDT
Patch reviewed by QA and confirmed to fix issue on customer side. Sanity and regression suite ran on all archs.

VERIFIED
Comment 12 errata-xmlrpc 2015-07-22 02:24:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1299.html

Note You need to log in before you can comment on or make changes to this bug.