d0a457
From 4383a6cb666bc79feb9ca0ee62dda0520955d286 Mon Sep 17 00:00:00 2001
d0a457
From: Thierry Bordaz <tbordaz@redhat.com>
d0a457
Date: Wed, 15 May 2019 17:46:14 +0200
d0a457
Subject: [PATCH] Ticket 50329 - (2nd) Possible Security Issue: DOS due to
d0a457
 ioblocktimeout not applying to TLS
d0a457
d0a457
Bug Description:
d0a457
    A secure socket is configured in blocking mode. If an event
d0a457
    is detected on a secure socket a worker tries to receive the request.
d0a457
    If handshake occurs during the read, it can hang longer than
d0a457
    ioblocktimeout because it takes into account the socket option
d0a457
    rather than the timeout used for the ssl_Recv
d0a457
d0a457
Fix Description:
d0a457
    The fix is specific to secure socket and set this socket option
d0a457
    to do non blocking IO.
d0a457
d0a457
https://pagure.io/389-ds-base/issue/50329
d0a457
d0a457
Reviewed by: ?
d0a457
d0a457
Platforms tested: F28, RHEL7.6
d0a457
d0a457
Flag Day: no
d0a457
d0a457
Doc impact: no
d0a457
---
d0a457
 ldap/servers/slapd/daemon.c | 2 +-
d0a457
 1 file changed, 1 insertion(+), 1 deletion(-)
d0a457
d0a457
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
d0a457
index c77e1f15c..b1d41c858 100644
d0a457
--- a/ldap/servers/slapd/daemon.c
d0a457
+++ b/ldap/servers/slapd/daemon.c
d0a457
@@ -3191,7 +3191,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)
d0a457
 
d0a457
     if (secure) {
d0a457
         pr_socketoption.option = PR_SockOpt_Nonblocking;
d0a457
-        pr_socketoption.value.non_blocking = 0;
d0a457
+        pr_socketoption.value.non_blocking = 1;
d0a457
         if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {
d0a457
             PRErrorCode prerr = PR_GetError();
d0a457
             slapi_log_err(SLAPI_LOG_ERR,
d0a457
-- 
d0a457
2.21.0
d0a457