#1623: No limit to accepted incoming connections allows for DoS
-------------------------+--------------------------------------------------
Reporter: flynd | Owner: emostar
Type: defect | Status: new
Priority: high | Milestone: 1.3.6
Component: licq daemon | Version: 1.3.5
Keywords: |
-------------------------+--------------------------------------------------
Licq accepts all incoming icq connections. This allows an attacker to open
connections until the OS limit is reached and Licq crashes.
This problem is also described here:
http://www.securityfocus.com/bid/28679
There seems to actually be two problems.[[BR]]
1) Licq uses select() for checking open file descriptors. The fd_set
structure can not hold any descriptors with a value of FD_SETSIZE or
higher.[[BR]]
2) Licq has no limit on the number of connections it accepts. For non
root-processes this is limited by the OS but Licq should limit the number
of connections long before it uses up all 1024 file descriptors. If not
else so plugins have some left to use.
As far as I know, the direct connections with icq clients in the daemon is
the only place that we accept incomming connections. But if there are any
more places, they should be checked and fixed too.
I think the attached patch should fix both problems but I haven't tested
it against an actual attack. Also I just used 128 as a limit without
thinking much about what the value should be. In either case it should
probably be a constant defined somewhere else.
--
Ticket URL: <http://www.licq.org/ticket/1623>
Licq <http://trac.licq.org/>
Licq - an instant messaging client for UNIX.
