From 335f2a35433a949fc30101655a40940bc6ecec12 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Wed, 15 May 2019 17:46:14 +0200 Subject: [PATCH] Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS Bug Description: A secure socket is configured in blocking mode. If an event is detected on a secure socket a worker tries to receive the request. If handshake occurs during the read, it can hang longer than ioblocktimeout because it takes into account the socket option rather than the timeout used for the ssl_Recv Fix Description: The fix is specific to secure socket and set this socket option to do non blocking IO. https://pagure.io/389-ds-base/issue/50329 Reviewed by: ? Platforms tested: F28, RHEL7.6 Flag Day: no Doc impact: no --- ldap/servers/slapd/daemon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c index 4841a8a5c..afe0fb737 100644 --- a/ldap/servers/slapd/daemon.c +++ b/ldap/servers/slapd/daemon.c @@ -3193,7 +3193,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local) if (secure) { pr_socketoption.option = PR_SockOpt_Nonblocking; - pr_socketoption.value.non_blocking = 0; + pr_socketoption.value.non_blocking = 1; if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) { PRErrorCode prerr = PR_GetError(); slapi_log_err(SLAPI_LOG_ERR, -- 2.21.0