You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/09/15 16:00:54 UTC
[Bug 3782] New: Spamd is not using timeouts on sockets - Possible DoS
http://bugzilla.spamassassin.org/show_bug.cgi?id=3782
Summary: Spamd is not using timeouts on sockets - Possible DoS
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P5
Component: spamc/spamd
AssignedTo: dev@spamassassin.apache.org
ReportedBy: laza@yu.net
Hello,
if client connection is broken during mail upload to spamd (after request
header), spamd will keep the connection for undef period of time (arch
dependent), which may cause DoS against spamd (if -m is defined) and/or complete
machine DoS (if -m is undef, or is set to a high value).
Versions 2.6x and 3.0x suffer from this on various Linux and Windows versions,
possibly other
However, seems that 2.6x has it's own select calls, so it's possible to avoid DoS.
3.0x completly relies upon IO::Socket / IO::Handle modules for timeout values on
I/O. IO::Socket doesn't actually implement timeouts (code is commented), and
IO::Handle, since using "struct FILE", isn't supposed to implement.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.