------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=770
Summary: Daemon should reinitialize len before calling accept()
Product: Exim
Version: 4.69
Platform: All
OS/Version: FreeBSD
Status: NEW
Severity: bug
Priority: medium
Component: Networking
AssignedTo: nigel@exim.org
ReportedBy: mdounin@mdounin.ru
CC: exim-dev@exim.org
Created an attachment (id=279)
--> (http://bugs.exim.org/attachment.cgi?id=279)
reinitialize len before calling accept()
In src/daemon.c, initialization for len argument of accept() syscall is done
only once per loop over active listening sockets. As a result if operation
system modifies len for some reason, for next socket accept() may be called
with invalid value of len.
At least FreeBSD resets len to 0 on error returned from accept() - and it may
happend e.g. on ECONNABORTED (i.e. client timed out before exim accepted
connection).
I've found this while digging into problem reported by Dmitriy Kirhlarov on
exim-user mailing list (http://permalink.gmane.org/gmane.mail.exim.user/80428).
Dmitriy was observing connections being treated as connections from completely
unrelated ips as a result of this bug.
Patch attached. It was tested by Dmitriy Kirhlarov and resolves his problem.
--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=770
Summary: Daemon should reinitialize len before calling accept()
Product: Exim
Version: 4.69
Platform: All
OS/Version: FreeBSD
Status: NEW
Severity: bug
Priority: medium
Component: Networking
AssignedTo: nigel@exim.org
ReportedBy: mdounin@mdounin.ru
CC: exim-dev@exim.org
Created an attachment (id=279)
--> (http://bugs.exim.org/attachment.cgi?id=279)
reinitialize len before calling accept()
In src/daemon.c, initialization for len argument of accept() syscall is done
only once per loop over active listening sockets. As a result if operation
system modifies len for some reason, for next socket accept() may be called
with invalid value of len.
At least FreeBSD resets len to 0 on error returned from accept() - and it may
happend e.g. on ECONNABORTED (i.e. client timed out before exim accepted
connection).
I've found this while digging into problem reported by Dmitriy Kirhlarov on
exim-user mailing list (http://permalink.gmane.org/gmane.mail.exim.user/80428).
Dmitriy was observing connections being treated as connections from completely
unrelated ips as a result of this bug.
Patch attached. It was tested by Dmitriy Kirhlarov and resolves his problem.
--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##