You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/09/15 16:00:54 UTC

[Bug 3782] New: Spamd is not using timeouts on sockets - Possible DoS

http://bugzilla.spamassassin.org/show_bug.cgi?id=3782

           Summary: Spamd is not using timeouts on sockets - Possible DoS
           Product: Spamassassin
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: spamc/spamd
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: laza@yu.net


Hello, 

if client connection is broken during mail upload to spamd (after request
header), spamd will keep the connection for undef period of time (arch
dependent), which may cause DoS against spamd (if -m is defined) and/or complete
machine DoS (if -m is undef, or is set to a high value). 

Versions 2.6x and 3.0x suffer from this on various Linux and Windows versions,
possibly other

However, seems that 2.6x has it's own select calls, so it's possible to avoid DoS. 

3.0x completly relies upon IO::Socket / IO::Handle modules for timeout values on
I/O. IO::Socket doesn't actually implement timeouts (code is commented), and
IO::Handle, since using "struct FILE", isn't supposed to implement.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.