This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 33ac4f5 Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout
not applying to TLS
33ac4f5 is described below
commit 33ac4f5a78d1a42385d1c011d88cef26771e99f5
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Wed May 15 17:46:14 2019 +0200
Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying
to TLS
Bug Description:
A secure socket is configured in blocking mode. If an event
is detected on a secure socket a worker tries to receive the request.
If handshake occurs during the read, it can hang longer than
ioblocktimeout because it takes into account the socket option
rather than the timeout used for the ssl_Recv
Fix Description:
The fix is specific to secure socket and set this socket option
to do non blocking IO.
https://pagure.io/389-ds-base/issue/50329
Reviewed by: ?
Platforms tested: F28, RHEL7.6
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/daemon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 4841a8a..afe0fb7 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -3193,7 +3193,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)
if (secure) {
pr_socketoption.option = PR_SockOpt_Nonblocking;
- pr_socketoption.value.non_blocking = 0;
+ pr_socketoption.value.non_blocking = 1;
if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {
PRErrorCode prerr = PR_GetError();
slapi_log_err(SLAPI_LOG_ERR,
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.