Ticket #1623 (closed defect: fixed)
No limit to accepted incoming connections allows for DoS
| Reported by: | flynd | Owned by: | emostar |
|---|---|---|---|
| Priority: | high | Milestone: | 1.3.6 |
| Component: | licq daemon | Version: | 1.3.5 |
| Keywords: | Cc: |
Description
Licq accepts all incoming icq connections. This allows an attacker to open connections until the OS limit is reached and Licq crashes.
This problem is also described here: http://www.securityfocus.com/bid/28679
There seems to actually be two problems.
1) Licq uses select() for checking open file descriptors. The fd_set structure can not hold any descriptors with a value of FD_SETSIZE or higher.
2) Licq has no limit on the number of connections it accepts. For non root-processes this is limited by the OS but Licq should limit the number of connections long before it uses up all 1024 file descriptors. If not else so plugins have some left to use.
As far as I know, the direct connections with icq clients in the daemon is the only place that we accept incomming connections. But if there are any more places, they should be checked and fixed too.
I think the attached patch should fix both problems but I haven't tested it against an actual attack. Also I just used 128 as a limit without thinking much about what the value should be. In either case it should probably be a constant defined somewhere else.
