Ticket #1623 (closed defect: fixed)

Opened 1 month ago

Last modified 1 month ago

No limit to accepted incoming connections allows for DoS

Reported by: flynd Assigned to: emostar
Priority: high Milestone: 1.3.6
Component: licq daemon Version: 1.3.5
Keywords: Cc:

Description

Licq accepts all incoming icq connections. This allows an attacker to open connections until the OS limit is reached and Licq crashes.

This problem is also described here: http://www.securityfocus.com/bid/28679

There seems to actually be two problems.
1) Licq uses select() for checking open file descriptors. The fd_set structure can not hold any descriptors with a value of FD_SETSIZE or higher.
2) Licq has no limit on the number of connections it accepts. For non root-processes this is limited by the OS but Licq should limit the number of connections long before it uses up all 1024 file descriptors. If not else so plugins have some left to use.

As far as I know, the direct connections with icq clients in the daemon is the only place that we accept incomming connections. But if there are any more places, they should be checked and fixed too.

I think the attached patch should fix both problems but I haven't tested it against an actual attack. Also I just used 128 as a limit without thinking much about what the value should be. In either case it should probably be a constant defined somewhere else.

Attachments

licq-6140-connectionlimit.patch (1.5 kB) - added by flynd on 2008-04-12 18:03:33.
Patch that should fix the descriptor handling.

Change History

2008-04-12 18:03:33 changed by flynd

  • attachment licq-6140-connectionlimit.patch added.

Patch that should fix the descriptor handling.

2008-04-13 10:41:32 changed by emostar

  • status changed from new to assigned.

2008-04-13 11:12:21 changed by emostar

  • status changed from assigned to closed.
  • resolution set to fixed.

Fixed in r6146