From patchwork Wed Nov 5 20:24:29 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bodo Stroesser X-Patchwork-Id: 5237921 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 0DAD09F295 for ; Wed, 5 Nov 2014 20:24:36 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 91DE220166 for ; Wed, 5 Nov 2014 20:24:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 00F722012F for ; Wed, 5 Nov 2014 20:24:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751769AbaKEUYc (ORCPT ); Wed, 5 Nov 2014 15:24:32 -0500 Received: from dgate10.ts.fujitsu.com ([80.70.172.49]:5583 "EHLO dgate10.ts.fujitsu.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752144AbaKEUYa (ORCPT ); Wed, 5 Nov 2014 15:24:30 -0500 DomainKey-Signature: s=s1536a; d=ts.fujitsu.com; c=nofws; q=dns; h=Message-Id:Date:X-SBRSScore:X-IronPort-AV:Received: X-IronPort-AV:Received:From:To:Cc:Subject:Content-Type: Content-Transfer-Encoding; b=ZVLkwXhNWvZ8bVJ0MxMvIbGvV4X3Uu8g6AKVm/aZHEXpeI4GKrLFF25p PQ8tfwp2QcA5eEc3cS7alE2z88nDxHJIeNUJVhL1sEIWtS23FgSjU9gbV 6Bktxu36HkoAhil1a+GOS1Fr48Vrc5ouFkXvomh9076PtOd1t4Kj3//w3 Cuh7mzdEZZ5kxiV2Hzs7ezP1POaSTjgmNR/Lf9ggh+QRJiWhx6yC74FsF 4u+DTOh2rbnpCJuGvrPqDtrwrh+oG; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ts.fujitsu.com; i=@ts.fujitsu.com; q=dns/txt; s=s1536b; t=1415219070; x=1446755070; h=from:to:cc:subject:content-transfer-encoding:message-id: date; bh=ys1OKJHf9L92RqgbkYVSTbrhRJQVCm7fZtIJacGoWyM=; b=a2c+lPN5WS02TEi+Iboc/e/g6oRFWmmla9xRXEWHO6QmZ8/XuoaLF7rw SAfmVqpitq/utUD00vlpbMEXbZlhlmJOFDBldW20THxgrtsGjZPKO9BUE s/3BRmVj3dV6SoZAl60jo7A9y3bi0L7bUEt6BV1TtE+e82eAi0vhWgwJO IOmkR8O/iIgPcXDCHsq04jO69loprXcwhenE2rJZAIcecC7r8yKKoNfVv lOH1+gqWMRf1omPzoj0XKTaSOchxe; Message-Id: Date: 05 Nov 2014 21:24:29 +0100 X-SBRSScore: None X-IronPort-AV: E=Sophos;i="5.07,321,1413237600"; d="scan'208";a="212337861" Received: from unknown (HELO abgdate50u.abg.fsc.net) ([172.25.138.66]) by dgate10u.abg.fsc.net with ESMTP; 05 Nov 2014 21:24:29 +0100 X-IronPort-AV: E=Sophos;i="5.07,321,1413237600"; d="scan'208";a="53679456" Received: from unknown (HELO BridgeHost.test.fsc.net) ([172.17.68.112]) by abgdate50u.abg.fsc.net with SMTP; 05 Nov 2014 21:24:29 +0100 From: bstroesser@ts.fujitsu.com To: neilb@suse.de, linux-nfs@vger.kernel.org Cc: bfields@fieldses.org, bstroesser@ts.fujitsu.com Subject: [nfs-utils] [PATCH 3/3] rpc.mountd: set libtirpc nonblocking mode to avoid DOS Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Spam-Status: No, score=-5.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, MIME_BASE64_BLANKS, MIME_BASE64_TEXT, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Bodo Stroesser Date: Thu, 09 Oct 2014 13:06:19 +0200 Subject: [nfs-utils] [PATCH 3/3] rpc.mountd: set libtirpc nonblocking mode to avoid DOS This patch is experimental. In works fine in that it removes the vulnerability against a DOS attack. rpc.mountd can be blocked by a bad client, that sends many RPC requests but never reads the responses. This might happen intentionally or caused by a wrong network config (MTU). The patch switches on the nonblocking mode of libtirpc. In that mode writes can block for a max. of 2 seconds. Attackers are forced to send requests slower, as libtirpc will close a connection if it finds two requests to read at the same time. I do not know, whether setting MAXREC could cause trouble e.g. with big replies. Signed-off-by: Bodo Stroesser --- nfs-utils-1.3.1/support/nfs/svc_create.c 2014-10-09 12:09:15.000000000 +0200 +++ nfs-utils-1.3.1/support/nfs/svc_create.c 2014-10-09 12:13:32.000000000 +0200 @@ -49,6 +49,8 @@ #ifdef HAVE_LIBTIRPC +#include + #define SVC_CREATE_XPRT_CACHE_SIZE (8) static SVCXPRT *svc_create_xprt_cache[SVC_CREATE_XPRT_CACHE_SIZE] = { NULL, }; @@ -401,6 +403,7 @@ const struct sigaction create_sigaction = { .sa_handler = SIG_IGN, }; + int maxrec = RPC_MAXDATASIZE; unsigned int visible, up, servport; struct netconfig *nconf; void *handlep; @@ -412,6 +415,20 @@ */ (void)sigaction(SIGPIPE, &create_sigaction, NULL); + /* + * Setting MAXREC also enables non-blocking mode for tcp connections. + * This avoids DOS attacks by a client sending many requests but never + * reading the reply: + * - if a second request already is present for reading in the socket, + * after the first request just was read, libtirpc will break the + * connection. Thus an attacker can't simply send requests as fast as + * he can without waiting for the response. + * - if the write buffer of the socket is full, the next write() will + * fail with EAGAIN. libtirpc will retry the write in a loop for max. + * 2 seconds. If write still fails, the connection will be closed. + */ + rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrec); + handlep = setnetconfig(); if (handlep == NULL) { xlog(L_ERROR, "Failed to access local netconfig database: %s",