| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jan 2013 08:56:28 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: Yannick Koehler <yannick@...hler.name> Cc: Cong Wang <xiyou.wangcong@...il.com>, netdev@...r.kernel.org Subject: Re: Unix Socket buffer attribution On Wed, 2013-01-23 at 11:36 -0500, Yannick Koehler wrote: > > So what prevents a malicious program to DOS the machine ? > > The recv queue (checked with recvq_full()) and receiving's socket > rcvbuf (check added in my patch). > Nope. The limit is given in number of messages, and its the socket backlog. Many machines setup a somaxconn = 1024 limit in order to reasonably listen for TCP connections. > Actually the current situation can easily lead to a DOS situation. I > simply have to write one application that connect to a unix socket > domain and have it send me data for which I never call recvfrom() and > voilĂ , all other consumer of this unix socket application will no more > be able to communicate with this application once it maxed out it's > sndbuf, default is 128k I believe. A single message can consume ~128k. If we allow 1024 messages being sent, we consume 128 Mbytes per evil socket. Enough to kill many linux based devices. You'll have to add proper limits (SO_RCVBUF), accounting the truesize of all accumulated messages. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists