Package: xinetd Version: 2.3.14-7 Severity: normal Tags: patch There is a bug with the measurement of cps. The code averaged things over a period of time, of length conn_max: even if such an averaging was "wanted", the period surely should not increase with conn_max. As an example, with (default) "cps 50 10", if after a long quiet time we had one connection each second, then in the 10th second allowed 490 connections, or in the 49th second allowed 2400 connections, before disabling the service.
I propose the following patch (much simplifying the code) to fix. Cheers, Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia --- access.c-2.3.14-7 2005-10-06 03:15:33.000000000 +1000 +++ access.c 2009-04-14 07:18:10.000000000 +1000 @@ -286,17 +286,12 @@ /* CPS handler */ if( SC_TIME_CONN_MAX(scp) != 0 ) { - int time_diff; nowtime = time(NULL); - time_diff = nowtime - SC_TIME_LIMIT(scp) ; - if( SC_TIME_CONN(scp) == 0 ) { + if( nowtime == SC_TIME_LIMIT(scp) && SC_TIME_CONN(scp) > 0 ) { + /* Count connections during this very same second */ SC_TIME_CONN(scp)++; - SC_TIME_LIMIT(scp) = nowtime; - } else if( time_diff < SC_TIME_CONN_MAX(scp) ) { - SC_TIME_CONN(scp)++; - if( time_diff == 0 ) time_diff = 1; - if( SC_TIME_CONN(scp)/time_diff > SC_TIME_CONN_MAX(scp) ) { + if( SC_TIME_CONN(scp) > SC_TIME_CONN_MAX(scp) ) { cps_service_stop(sp, "excessive incoming connections"); return(AC_CPS); } -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.03-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
