[xinetd] Add -bad-port-check patch
jsynacek
jsynacek at fedoraproject.org
Mon May 14 08:41:48 UTC 2012
commit 63004d1702caf98a5fb42a94cc2211e65bc50227
Author: Jan Synacek <jsynacek at redhat.com>
Date: Mon May 14 10:36:13 2012 +0200
Add -bad-port-check patch
xinetd-2.3.15-bad-port-check.patch | 106 ++++++++++++++++++++++++++++++++++++
xinetd.spec | 3 +
2 files changed, 109 insertions(+), 0 deletions(-)
---
diff --git a/xinetd-2.3.15-bad-port-check.patch b/xinetd-2.3.15-bad-port-check.patch
new file mode 100644
index 0000000..7849a96
--- /dev/null
+++ b/xinetd-2.3.15-bad-port-check.patch
@@ -0,0 +1,106 @@
+Re-introduce bad_port_check(), which upstream dropped between 2.3.13 and 2.3.14
+for it having been "rather antiquated for years", with no justification given
+for that claim.
+
+--- xinetd-2.3.15/xinetd/builtins.c 2012-05-09 17:40:29.000000000 +0200
++++ xinetd-2.3.15.new/xinetd/builtins.c 2012-05-14 10:25:00.431529805 +0200
+@@ -52,6 +52,7 @@ static void dgram_daytime(const struct s
+ static void stream_chargen(const struct server *) ;
+ static void dgram_chargen(const struct server *) ;
+ static void tcpmux_handler(const struct server *) ;
++static int bad_port_check(const union xsockaddr *, const char *);
+
+ /*
+ * SG - This is the call sequence to get to a built-in service
+@@ -163,6 +164,25 @@ static void stream_echo( const struct se
+ Sclose(descriptor);
+ }
+
++/* For internal UDP services, make sure we don't respond to our ports
++ * on other servers and to low ports of other services (such as DNS).
++ * This can cause looping.
++ */
++static int bad_port_check( const union xsockaddr *sa, const char *func )
++{
++ uint16_t port = 0;
++
++ port = ntohs( xaddrport( sa ) );
++
++ if ( port < 1024 ) {
++ msg(LOG_WARNING, func,
++ "Possible Denial of Service attack from %s %d", xaddrname(sa), port);
++ return (-1);
++ }
++
++ return (0);
++}
++
+ static void dgram_echo( const struct server *serp )
+ {
+ char buf[ DATAGRAM_SIZE ] ;
+@@ -170,6 +190,7 @@ static void dgram_echo( const struct ser
+ ssize_t cc ;
+ socklen_t sin_len = 0;
+ int descriptor = SERVER_FD( serp ) ;
++ const char *func = "dgram_echo" ;
+
+ if( SC_IPV4( SVC_CONF( SERVER_SERVICE( serp ) ) ) )
+ sin_len = sizeof( struct sockaddr_in );
+@@ -178,6 +199,7 @@ static void dgram_echo( const struct ser
+
+ cc = recvfrom( descriptor, buf, sizeof( buf ), 0, (struct sockaddr *)( &lsin ), &sin_len ) ;
+ if ( cc != (ssize_t)-1 ) {
++ if( bad_port_check(&lsin, func) != 0 ) return;
+ (void) sendto( descriptor, buf, (size_t)cc, 0, SA( &lsin ), sizeof( lsin ) ) ;
+ }
+ }
+@@ -292,6 +314,7 @@ static void dgram_daytime( const struct
+ unsigned int buflen = sizeof( time_buf ) ;
+ int descriptor = SERVER_FD( serp ) ;
+ ssize_t val;
++ const char *func = "dgram_daytime" ;
+
+ if ( SC_IPV4( SVC_CONF( SERVER_SERVICE( serp ) ) ) )
+ sin_len = sizeof( struct sockaddr_in );
+@@ -303,6 +326,8 @@ static void dgram_daytime( const struct
+ if ( val == (ssize_t)-1 )
+ return ;
+
++ if( bad_port_check(&lsin, func) != 0 ) return;
++
+ daytime_protocol( time_buf, &buflen ) ;
+
+ (void) sendto( descriptor, time_buf, buflen, 0, SA(&lsin), sizeof( lsin ) ) ;
+@@ -359,6 +384,7 @@ static void dgram_time( const struct ser
+ socklen_t sin_len = 0 ;
+ int fd = SERVER_FD( serp ) ;
+ ssize_t val;
++ const char *func = "dgram_time" ;
+
+ if ( SC_IPV4( SVC_CONF( SERVER_SERVICE( serp ) ) ) )
+ sin_len = sizeof( struct sockaddr_in );
+@@ -368,6 +394,7 @@ static void dgram_time( const struct ser
+ val = recvfrom( fd, buf, sizeof( buf ), 0, (struct sockaddr *)( &lsin ), &sin_len );
+ if ( val == (ssize_t)-1 )
+ return ;
++ if( bad_port_check(&lsin, func) != 0 ) return;
+
+ time_protocol( time_buf ) ;
+ (void) sendto( fd, (char *) time_buf, 4, 0, SA( &lsin ), sin_len ) ;
+@@ -466,6 +493,7 @@ static void dgram_chargen( const struct
+ int fd = SERVER_FD( serp ) ;
+ unsigned int left = sizeof( buf ) ;
+ ssize_t val;
++ const char *func = "dgram_chargen" ;
+
+ if ( SC_IPV4( SVC_CONF( SERVER_SERVICE( serp ) ) ) )
+ sin_len = sizeof( struct sockaddr_in );
+@@ -480,6 +508,8 @@ static void dgram_chargen( const struct
+ bad_variable = 1 ; /* this will cause a compilation error */
+ #endif
+
++ if( bad_port_check(&lsin, func) != 0 ) return;
++
+ for ( p = buf ; left > 2 ; left -= len, p += len )
+ {
+ len = min( LINE_LENGTH+2, left ) ;
diff --git a/xinetd.spec b/xinetd.spec
index 372107f..6abb400 100644
--- a/xinetd.spec
+++ b/xinetd.spec
@@ -52,6 +52,7 @@ Patch24: xinetd-2.3.14-leaking-fds-2a.patch
Patch25: xinetd-2.3.14-instances.patch
# Fix #809272 - Service disabled due to bind failure
Patch26: xinetd-2.3.14-retry-svc-activate-in-cps-restart.patch
+Patch27: xinetd-2.3.15-bad-port-check.patch
BuildRequires: autoconf, automake
BuildRequires: libselinux-devel >= 1.30
@@ -105,6 +106,7 @@ located in the /etc/xinetd.d directory.
%patch24 -p1 -b .leaking-fds-2a
%patch25 -p1 -b .instances
%patch26 -p1 -b .retry-svc-activate
+%patch27 -p1 -b .bad-port-check
aclocal
autoconf
@@ -180,6 +182,7 @@ fi
(-log-crash, -tcp_rpc, -label, -contextconf, -ssize_t)
- Update -pie, -PIE, -poll patch
- Resolves: #820927
+- Add -bad-port-check patch
* Fri Apr 13 2012 Jan Synáček <jsynacek at redhat.com> - 2:2.3.14-46
- Fix: service file: avoid problems when name resolution is not ready
More information about the scm-commits
mailing list