Hi, jabberd-2.0s11 contains a file descriptor leak. I have seen my server eat up all available file descriptors, so this can very probably be exploited to construct a DOS attack.
In August 2006, my colleague Klara Mall prepared a patch and sent it upstream [1]. It was ignored. For that reason, i sent the patch to the maintainer (Gerardo), but received no feedback. In September, i sent the patch to [email protected] [2]. I'm not aware of anyone looking at it. Since the problems just reported by Mike Erdely might well be related, i now resubmit the patch. The patch compiles and runs on i386-current. For testing it, i followed http://www.openbsd.org/porttest.html. Besides, i'm running it in production on 3.9-stable since August 2006. Mike, please test... Gerardo, i should appreciate your feedback, too. Yours, Ingo References: [1] http://j2.openaether.org/bugzilla/show_bug.cgi?id=23 [2] http://marc.theaimsgroup.com/?l=openbsd-ports&m=115862241821531 Index: Makefile =================================================================== RCS file: /cvs/ports/net/jabberd/Makefile,v retrieving revision 1.28 diff -u -r1.28 Makefile --- Makefile 11 Nov 2006 14:38:23 -0000 1.28 +++ Makefile 4 Dec 2006 01:00:46 -0000 @@ -2,7 +2,7 @@ COMMENT= "jabber server" DISTNAME= jabberd-2.0s11 -PKGNAME= ${DISTNAME}p0 +PKGNAME= ${DISTNAME}p1 CATEGORIES= net HOMEPAGE= http://jabberd.jabberstudio.org/2/ MAINTAINER= Gerardo Santana Gomez Garrido <[EMAIL PROTECTED]> Index: patches/patch-sx_io_c =================================================================== RCS file: patches/patch-sx_io_c diff -N patches/patch-sx_io_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-sx_io_c 4 Dec 2006 01:00:46 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ +--- sx/io.c.orig 2005-06-22 22:33:40.000000000 +0200 ++++ sx/io.c 2006-08-20 18:13:16.000000000 +0200 +@@ -294,9 +294,11 @@ + + ret = _sx_get_pending_write(s); + if (ret < 0) { +- /* fatal error */ +- /* !!! shut down */ +- return 0; ++ /* fatal error */ ++ _sx_debug(ZONE, "fatal error after attempt to write on fd %d", s->tag); ++ /* permanent error so inform the app it can kill us */ ++ sx_kill(s); ++ return 0; + } + + /* if there's nothing to write, then we're done */
