On Tue, Dec 29, 2015 at 03:48:45PM +0100, Hannes Frederic Sowa wrote: > On 28.12.2015 15:14, Willy Tarreau wrote: > >It is possible for a process to allocate and accumulate far more FDs than > >the process' limit by sending them over a unix socket then closing them > >to keep the process' fd count low. > > > >This change addresses this problem by keeping track of the number of FDs > >in flight per user and preventing non-privileged processes from having > >more FDs in flight than their configured FD limit. > > > >Reported-by: socketp...@gmail.com > >Suggested-by: Linus Torvalds <torva...@linux-foundation.org> > >Signed-off-by: Willy Tarreau <w...@1wt.eu> > > Thanks for the patch! > > I think this does not close the DoS attack completely as we duplicate > fds if the reader uses MSG_PEEK on the unix domain socket and thus > clones the fd. Have I overlooked something?
I didn't know this behaviour. However, then the fd remains in flight, right ? So as long as it's not removed from the queue, the sender cannot add more than its FD limit. I may be missing something obvious though :-/ Thanks, Willy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
