From 5da265eb9a023964f00d3ff6b54bcc64107dcf5a Mon Sep 17 00:00:00 2001

From: Thierry Bordaz <tbordaz@redhat.com>

Date: Wed, 15 May 2019 17:46:14 +0200

Subject: [PATCH] Ticket 50329 - (2nd) Possible Security Issue: DOS due to

 ioblocktimeout not applying to TLS

Bug Description:

    A secure socket is configured in blocking mode. If an event

    is detected on a secure socket a worker tries to receive the request.

    If handshake occurs during the read, it can hang longer than

    ioblocktimeout because it takes into account the socket option

    rather than the timeout used for the ssl_Recv

Fix Description:

    The fix is specific to secure socket and set this socket option

    to do non blocking IO.

https://pagure.io/389-ds-base/issue/50329

Reviewed by: ?

Platforms tested: F28, RHEL7.6

Flag Day: no

Doc impact: no

---

 ldap/servers/slapd/daemon.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c

index 2daa21034..519fd2f86 100644

--- a/ldap/servers/slapd/daemon.c

+++ b/ldap/servers/slapd/daemon.c

@@ -3174,7 +3174,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local)

     if (secure) {

         pr_socketoption.option = PR_SockOpt_Nonblocking;

-        pr_socketoption.value.non_blocking = 0;

+        pr_socketoption.value.non_blocking = 1;

         if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) {

             PRErrorCode prerr = PR_GetError();

             slapi_log_err(SLAPI_LOG_ERR,

-- 

2.21.0