# HG changeset patch # User Matt Johnston # Date 1141822391 0 # Node ID 1f5ec029dfe84986fba4d33434ee9d80d1acb2ac # Parent e109fb08b8ee74e13ec686969ecda64f39db889c# Parent 044bc108b9b3f78573ac04b832179927af92f27c merge of 4c883eb469d2d251ee8abddbc11ae4005db6da17 and bed6155e95a293c9fce7e889d283b5958f3035dc diff -r e109fb08b8ee -r 1f5ec029dfe8 dbutil.c --- a/dbutil.c Wed Mar 08 12:53:09 2006 +0000 +++ b/dbutil.c Wed Mar 08 12:53:11 2006 +0000 @@ -588,20 +588,17 @@ } #endif -/* loop until the socket is closed (in case of EINTR) or - * we get and error. - * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -int m_close(int fd) { +/* make sure that the socket closes */ +void m_close(int fd) { int val; do { val = close(fd); } while (val < 0 && errno == EINTR); - if (val == 0 || errno == EBADF) { - return DROPBEAR_SUCCESS; - } else { - return DROPBEAR_FAILURE; + if (val < 0 && errno != EBADF) { + /* Linux says EIO can happen */ + dropbear_exit("Error closing fd %d, %s", fd, strerror(errno)); } } diff -r e109fb08b8ee -r 1f5ec029dfe8 dbutil.h --- a/dbutil.h Wed Mar 08 12:53:09 2006 +0000 +++ b/dbutil.h Wed Mar 08 12:53:11 2006 +0000 @@ -55,7 +55,7 @@ int buf_readfile(buffer* buf, const char* filename); int buf_getline(buffer * line, FILE * authfile); -int m_close(int fd); +void m_close(int fd); void * m_malloc(size_t size); void * m_strdup(const char * str); void * m_realloc(void* ptr, size_t size); diff -r e109fb08b8ee -r 1f5ec029dfe8 options.h --- a/options.h Wed Mar 08 12:53:09 2006 +0000 +++ b/options.h Wed Mar 08 12:53:11 2006 +0000 @@ -161,6 +161,13 @@ /* Specify the number of clients we will allow to be connected but * not yet authenticated. After this limit, connections are rejected */ +/* The first setting is per-IP, to avoid denial of service */ +#ifndef MAX_UNAUTH_PER_IP +#define MAX_UNAUTH_PER_IP 5 +#endif + +/* And then a global limit to avoid chewing memory if connections + * come from many IPs */ #ifndef MAX_UNAUTH_CLIENTS #define MAX_UNAUTH_CLIENTS 30 #endif diff -r e109fb08b8ee -r 1f5ec029dfe8 svr-chansession.c --- a/svr-chansession.c Wed Mar 08 12:53:09 2006 +0000 +++ b/svr-chansession.c Wed Mar 08 12:53:11 2006 +0000 @@ -851,9 +851,7 @@ /* close file descriptors except stdin/stdout/stderr * Need to be sure FDs are closed here to avoid reading files as root */ for (i = 3; i <= (unsigned int)ses.maxfd; i++) { - if (m_close(i) == DROPBEAR_FAILURE) { - dropbear_exit("Error closing file desc"); - } + m_close(i); } /* clear environment */ diff -r e109fb08b8ee -r 1f5ec029dfe8 svr-main.c --- a/svr-main.c Wed Mar 08 12:53:09 2006 +0000 +++ b/svr-main.c Wed Mar 08 12:53:11 2006 +0000 @@ -29,7 +29,7 @@ #include "signkey.h" #include "runopts.h" -static int listensockets(int *sock, int sockcount, int *maxfd); +static size_t listensockets(int *sock, size_t sockcount, int *maxfd); static void sigchld_handler(int dummy); static void sigsegv_handler(int); static void sigintterm_handler(int fish); @@ -41,8 +41,6 @@ #endif static void commonsetup(); -static int childpipes[MAX_UNAUTH_CLIENTS]; - #if defined(DBMULTI_dropbear) || !defined(DROPBEAR_MULTI) #if defined(DBMULTI_dropbear) && defined(DROPBEAR_MULTI) int dropbear_main(int argc, char ** argv) @@ -80,7 +78,7 @@ static void main_inetd() { struct sockaddr_storage remoteaddr; - int remoteaddrlen; + socklen_t remoteaddrlen; char * addrstring = NULL; /* Set up handlers, syslog, seed random */ @@ -116,14 +114,14 @@ unsigned int i, j; int val; int maxsock = -1; - struct sockaddr_storage remoteaddr; - int remoteaddrlen; int listensocks[MAX_LISTEN_ADDR]; - int listensockcount = 0; + size_t listensockcount = 0; FILE *pidfile = NULL; + int childpipes[MAX_UNAUTH_CLIENTS]; + char * preauth_addrs[MAX_UNAUTH_CLIENTS]; + int childsock; - pid_t childpid; int childpipe[2]; /* fork */ @@ -160,11 +158,13 @@ for (i = 0; i < MAX_UNAUTH_CLIENTS; i++) { childpipes[i] = -1; } + bzero(preauth_addrs, sizeof(preauth_addrs)); /* Set up the listening sockets */ /* XXX XXX ports */ listensockcount = listensockets(listensocks, MAX_LISTEN_ADDR, &maxsock); - if (listensockcount < 0) { + if (listensockcount == 0) + { dropbear_exit("No listening ports available."); } @@ -177,7 +177,7 @@ seltimeout.tv_usec = 0; /* listening sockets */ - for (i = 0; i < (unsigned int)listensockcount; i++) { + for (i = 0; i < listensockcount; i++) { FD_SET(listensocks[i], &fds); } @@ -208,17 +208,27 @@ dropbear_exit("Listening socket error"); } - /* close fds which have been authed or closed - auth.c handles + /* close fds which have been authed or closed - svr-auth.c handles * closing the auth sockets on success */ for (i = 0; i < MAX_UNAUTH_CLIENTS; i++) { if (childpipes[i] >= 0 && FD_ISSET(childpipes[i], &fds)) { - close(childpipes[i]); + m_close(childpipes[i]); childpipes[i] = -1; + m_free(preauth_addrs[i]); } } /* handle each socket which has something to say */ - for (i = 0; i < (unsigned int)listensockcount; i++) { + for (i = 0; i < listensockcount; i++) { + + struct sockaddr_storage remoteaddr; + socklen_t remoteaddrlen = 0; + size_t num_unauthed_for_addr = 0; + size_t num_unauthed_total = 0; + char * remote_addr_str = NULL; + pid_t fork_ret = 0; + size_t conn_idx = 0; + if (!FD_ISSET(listensocks[i], &fds)) continue; @@ -231,28 +241,47 @@ continue; } - /* check for max number of connections not authorised */ + /* Limit the number of unauthenticated connections per IP */ + remote_addr_str = getaddrstring(&remoteaddr, 0); + + num_unauthed_for_addr = 0; + num_unauthed_total = 0; for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) { - if (childpipes[j] < 0) { - break; + if (childpipes[j] >= 0) { + num_unauthed_total++; + if (strcmp(remote_addr_str, preauth_addrs[j]) == 0) { + num_unauthed_for_addr++; + } + } else { + /* a free slot */ + conn_idx = j; } } - if (j == MAX_UNAUTH_CLIENTS) { - /* no free connections */ - /* TODO - possibly log, though this would be an easy way - * to fill logs/disk */ - close(childsock); - continue; + if (num_unauthed_total >= MAX_UNAUTH_CLIENTS + || num_unauthed_for_addr >= MAX_UNAUTH_PER_IP) { + goto out; } if (pipe(childpipe) < 0) { TRACE(("error creating child pipe")) - close(childsock); - continue; + goto out; } - if ((childpid = fork()) == 0) { + fork_ret = fork(); + if (fork_ret < 0) { + dropbear_log(LOG_WARNING, "error forking: %s", strerror(errno)); + goto out; + + } else if (fork_ret > 0) { + + /* parent */ + childpipes[conn_idx] = childpipe[0]; + m_close(childpipe[1]); + preauth_addrs[conn_idx] = remote_addr_str; + remote_addr_str = NULL; + + } else { /* child */ char * addrstring = NULL; @@ -261,6 +290,7 @@ monstartup((u_long)&_start, (u_long)&etext); #endif /* DEBUG_FORKGPROF */ + m_free(remote_addr_str); addrstring = getaddrstring(&remoteaddr, 1); dropbear_log(LOG_INFO, "Child connection from %s", addrstring); @@ -269,15 +299,11 @@ } /* make sure we close sockets */ - for (i = 0; i < (unsigned int)listensockcount; i++) { - if (m_close(listensocks[i]) == DROPBEAR_FAILURE) { - dropbear_exit("Couldn't close socket"); - } + for (i = 0; i < listensockcount; i++) { + m_close(listensocks[i]); } - if (m_close(childpipe[0]) == DROPBEAR_FAILURE) { - dropbear_exit("Couldn't close socket"); - } + m_close(childpipe[0]); /* start the session */ svr_session(childsock, childpipe[1], @@ -286,12 +312,12 @@ /* don't return */ dropbear_assert(0); } - - /* parent */ - childpipes[j] = childpipe[0]; - if (m_close(childpipe[1]) == DROPBEAR_FAILURE - || m_close(childsock) == DROPBEAR_FAILURE) { - dropbear_exit("Couldn't close socket"); + +out: + /* This section is important for the parent too */ + m_close(childsock); + if (remote_addr_str) { + m_free(remote_addr_str); } } } /* for(;;) loop */ @@ -364,11 +390,11 @@ } /* Set up listening sockets for all the requested ports */ -static int listensockets(int *sock, int sockcount, int *maxfd) { +static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { unsigned int i; char* errstring = NULL; - unsigned int sockpos = 0; + size_t sockpos = 0; int nsock; TRACE(("listensockets: %d to try\n", svr_opts.portcount))