Fixed a mount DOS (bz 1163886)

Signed-off-by: Steve Dickson <steved@redhat.com>

nfs-utils-1.3.1-mountd-dos.patch

@@ -0,0 +1,168 @@
+diff -up nfs-utils-1.3.1/support/include/nfslib.h.save nfs-utils-1.3.1/support/include/nfslib.h
+--- nfs-utils-1.3.1/support/include/nfslib.h.save	2014-11-13 13:36:10.054248000 -0500
++++ nfs-utils-1.3.1/support/include/nfslib.h	2014-11-13 13:37:14.045142000 -0500
+@@ -174,6 +174,7 @@ void closeall(int min);
+ 
+ int			svctcp_socket (u_long __number, int __reuse);
+ int			svcudp_socket (u_long __number);
++int			svcsock_nonblock (int __sock);
+ 
+ /* Misc shared code prototypes */
+ size_t  strlcat(char *, const char *, size_t);
+diff -up nfs-utils-1.3.1/support/nfs/rpcmisc.c.save nfs-utils-1.3.1/support/nfs/rpcmisc.c
+--- nfs-utils-1.3.1/support/nfs/rpcmisc.c.save	2014-11-13 13:36:19.386524000 -0500
++++ nfs-utils-1.3.1/support/nfs/rpcmisc.c	2014-11-13 13:37:14.051143000 -0500
+@@ -104,7 +104,7 @@ makesock(int port, int proto)
+ 		return -1;
+ 	}
+ 
+-	return sock;
++	return svcsock_nonblock(sock);
+ }
+ 
+ void
+diff -up nfs-utils-1.3.1/support/nfs/svc_create.c.save nfs-utils-1.3.1/support/nfs/svc_create.c
+--- nfs-utils-1.3.1/support/nfs/svc_create.c.save	2014-11-13 13:36:44.554269000 -0500
++++ nfs-utils-1.3.1/support/nfs/svc_create.c	2014-11-13 13:37:29.571601000 -0500
+@@ -49,6 +49,8 @@
+ 
+ #ifdef HAVE_LIBTIRPC
+ 
++#include <rpc/rpc_com.h>
++
+ #define SVC_CREATE_XPRT_CACHE_SIZE	(8)
+ static SVCXPRT *svc_create_xprt_cache[SVC_CREATE_XPRT_CACHE_SIZE] = { NULL, };
+ 
+@@ -277,6 +279,12 @@ svc_create_nconf_rand_port(const char *n
+ 			"(%s, %u, %s)", name, version, nconf->nc_netid);
+ 		return 0;
+ 	}
++	if (svcsock_nonblock(xprt->xp_fd) < 0) {
++		/* close() already done by svcsock_nonblock() */
++		xprt->xp_fd = RPC_ANYFD;
++		SVC_DESTROY(xprt);
++		return 0;
++	}
+ 
+ 	if (!svc_reg(xprt, program, version, dispatch, nconf)) {
+ 		/* svc_reg(3) destroys @xprt in this case */
+@@ -332,6 +340,7 @@ svc_create_nconf_fixed_port(const char *
+ 		int fd;
+ 
+ 		fd = svc_create_sock(ai->ai_addr, ai->ai_addrlen, nconf);
++		fd = svcsock_nonblock(fd);
+ 		if (fd == -1)
+ 			goto out_free;
+ 
+@@ -394,6 +403,7 @@ nfs_svc_create(char *name, const rpcprog
+ 	const struct sigaction create_sigaction = {
+ 		.sa_handler	= SIG_IGN,
+ 	};
++	int maxrec = RPC_MAXDATASIZE;
+ 	unsigned int visible, up, servport;
+ 	struct netconfig *nconf;
+ 	void *handlep;
+@@ -405,6 +415,20 @@ nfs_svc_create(char *name, const rpcprog
+ 	 */
+ 	(void)sigaction(SIGPIPE, &create_sigaction, NULL);
+ 
++	/*
++	 * Setting MAXREC also enables non-blocking mode for tcp connections.
++	 * This avoids DOS attacks by a client sending many requests but never
++	 * reading the reply:
++	 * - if a second request already is present for reading in the socket,
++	 *   after the first request just was read, libtirpc will break the
++	 *   connection. Thus an attacker can't simply send requests as fast as
++	 *   he can without waiting for the response.
++	 * - if the write buffer of the socket is full, the next write() will
++	 *   fail with EAGAIN. libtirpc will retry the write in a loop for max.
++	 *   2 seconds. If write still fails, the connection will be closed.
++	 */   
++	rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrec);
++
+ 	handlep = setnetconfig();
+ 	if (handlep == NULL) {
+ 		xlog(L_ERROR, "Failed to access local netconfig database: %s",
+diff -up nfs-utils-1.3.1/support/nfs/svc_socket.c.save nfs-utils-1.3.1/support/nfs/svc_socket.c
+--- nfs-utils-1.3.1/support/nfs/svc_socket.c.save	2014-11-13 13:36:29.925836000 -0500
++++ nfs-utils-1.3.1/support/nfs/svc_socket.c	2014-11-13 13:37:14.055142000 -0500
+@@ -76,6 +76,39 @@ int getservport(u_long number, const cha
+ 	return 0;
+ }
+ 
++int
++svcsock_nonblock(int sock)
++{
++	int flags;
++
++	if (sock < 0)
++		return sock;
++
++	/* This socket might be shared among multiple processes
++	 * if mountd is run multi-threaded.  So it is safest to
++	 * make it non-blocking, else all threads might wake
++	 * one will get the data, and the others will block
++	 * indefinitely.
++	 * In all cases, transaction on this socket are atomic
++	 * (accept for TCP, packet-read and packet-write for UDP)
++	 * so O_NONBLOCK will not confuse unprepared code causing
++	 * it to corrupt messages.
++	 * It generally safest to have O_NONBLOCK when doing an accept
++	 * as if we get a RST after the SYN and before accept runs,
++	 * we can block despite being told there was an acceptable
++	 * connection.
++	 */
++	if ((flags = fcntl(sock, F_GETFL)) < 0)
++		perror(_("svc_socket: can't get socket flags"));
++	else if (fcntl(sock, F_SETFL, flags|O_NONBLOCK) < 0)
++		perror(_("svc_socket: can't set socket flags"));
++	else
++		return sock;
++
++	(void) __close(sock);
++	return -1;
++}
++
+ static int
+ svc_socket (u_long number, int type, int protocol, int reuse)
+ {
+@@ -113,38 +146,7 @@ svc_socket (u_long number, int type, int
+       sock = -1;
+     }
+ 
+-  if (sock >= 0)
+-    {
+-	    /* This socket might be shared among multiple processes
+-	     * if mountd is run multi-threaded.  So it is safest to
+-	     * make it non-blocking, else all threads might wake
+-	     * one will get the data, and the others will block
+-	     * indefinitely.
+-	     * In all cases, transaction on this socket are atomic
+-	     * (accept for TCP, packet-read and packet-write for UDP)
+-	     * so O_NONBLOCK will not confuse unprepared code causing
+-	     * it to corrupt messages.
+-	     * It generally safest to have O_NONBLOCK when doing an accept
+-	     * as if we get a RST after the SYN and before accept runs,
+-	     * we can block despite being told there was an acceptable
+-	     * connection.
+-	     */
+-	int flags;
+-	if ((flags = fcntl(sock, F_GETFL)) < 0)
+-	  {
+-	      perror (_("svc_socket: can't get socket flags"));
+-	      (void) __close (sock);
+-	      sock = -1;
+-	  }
+-	else if (fcntl(sock, F_SETFL, flags|O_NONBLOCK) < 0)
+-	  {
+-	      perror (_("svc_socket: can't set socket flags"));
+-	      (void) __close (sock);
+-	      sock = -1;
+-	  }
+-    }
+-
+-  return sock;
++  return svcsock_nonblock(sock);
+ }
+ 
+ /*

nfs-utils.spec

@@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser
 Name: nfs-utils
 URL: http://sourceforge.net/projects/nfs
 Version: 1.3.1
-Release: 2.2%{?dist}
+Release: 2.3%{?dist}
 Epoch: 1
 
 # group all 32bit related archs
@@ -16,6 +16,7 @@ Source3: nfs-utils_env.sh
 Source4: lockd.conf
 
 Patch001: nfs-utils-1.3.2-rc2.patch
+Patch002: nfs-utils-1.3.1-mountd-dos.patch
 
 Patch100: nfs-utils-1.2.1-statdpath-man.patch
 Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@@ -74,6 +75,7 @@ This package also contains the mount.nfs and umount.nfs program.
 %setup -q
 
 %patch001 -p1
+%patch002 -p1
 
 %patch100 -p1
 %patch101 -p1
@@ -283,6 +285,9 @@ fi
 /sbin/umount.nfs4
 
 %changelog
+* Thu Nov 13 2014 Steve Dickson <steved@redhat.com> 1.3.1-2.3
+- Fixed a mount DOS (bz 1163886)
+
 * Thu Nov  6 2014 Richard W.M. Jones <rjones@redhat.com> 1.3.1-2.2
 - Rebuild against new libnfsimap (bz 1160883)