From bg@manian.sics.se  Thu Jan  8 08:57:54 2004
Return-Path: <bg@manian.sics.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3713016A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  8 Jan 2004 08:57:54 -0800 (PST)
Received: from manian.sics.se (manian.sics.se [193.10.66.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 18CF843D41
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  8 Jan 2004 08:57:51 -0800 (PST)
	(envelope-from bg@manian.sics.se)
Received: from manian.sics.se (localhost [127.0.0.1])
	by manian.sics.se (8.12.10/8.12.10) with ESMTP id i08Gvxet020047;
	Thu, 8 Jan 2004 17:57:59 +0100 (CET)
	(envelope-from bg@manian.sics.se)
Received: (from bg@localhost)
	by manian.sics.se (8.12.10/8.12.10/Submit) id i08Gvx5t020046;
	Thu, 8 Jan 2004 17:57:59 +0100 (CET)
	(envelope-from bg)
Message-Id: <200401081657.i08Gvx5t020046@manian.sics.se>
Date: Thu, 8 Jan 2004 17:57:59 +0100 (CET)
From: Bjoern Groenvall <bg@sics.se>
Reply-To: Bjoern Groenvall <bg@sics.se>
To: FreeBSD-gnats-submit@freebsd.org
Cc: bg@sics.se
Subject: nfsd sometimes exits prematurely during port-scan
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         61084
>Category:       bin
>Synopsis:       nfsd sometimes exits prematurely during port-scan
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 08 09:00:32 PST 2004
>Closed-Date:    Sun May 02 15:21:03 PDT 2004
>Last-Modified:  Tue Nov 23 23:50:15 GMT 2004
>Originator:     Bjoern Groenvall
>Release:        FreeBSD 5.2-RC i386
>Organization:
SICS
>Environment:
System: FreeBSD dim.sics.se 5.2-RC FreeBSD 5.2-RC #1: Fri Dec 19 16:32:35 CET 2003     root@dim.sics.se:/usr/src/sys/i386/compile/DIM  i386

>Description:

When an NFS server is port-scanned nfsd sometimes exits. This has happened
3 times the last few weeks.

Nfsd has been written to exit when accept(2) fails. Unfortunately
accept can sometimes make a "normal" return with errno ECONNABORTED
and in this case nfsd exits prematurely (see below).

Dec 22 16:25:59 dim kernel: Limiting closed port RST response from 363 to 200 packets/sec
Dec 22 16:25:59 dim nfsd[417]: accept failed: Software caused connection abort
Dec 22 16:26:00 dim kernel: Limiting closed port RST response from 215 to 200 packets/sec

Dec 28 08:26:43 dim kernel: Limiting closed port RST response from 325 to 200 packets/sec
Dec 28 08:26:43 dim nfsd[36538]: accept failed: Software caused connection abort
Dec 28 08:26:45 dim kernel: Limiting closed port RST response from 431 to 200 packets/sec

Jan  7 00:37:12 dim kernel: Limiting closed port RST response from 305 to 200 packets/sec
Jan  7 00:37:12 dim nfsd[89133]: accept failed: Software caused connection abort
Jan  7 00:37:14 dim kernel: Limiting closed port RST response from 371 to 200 packets/sec


>How-To-Repeat:

Unknown. Perhaps possible using a port-scan program of some sort.

>Fix:

This is a sample fix that also handles rare "normal" returns with errno EINTR.

--- nfsd.c.orig	Thu Jul 25 08:18:22 2002
+++ nfsd.c	Wed Jan  7 18:02:18 2004
@@ -658,6 +658,8 @@
 			if (select(maxsock + 1,
 			    &ready, NULL, NULL, NULL) < 1) {
 				syslog(LOG_ERR, "select failed: %m");
+				if (errno == EINTR)
+					continue;
 				nfsd_exit(1);
 			}
 		}
@@ -668,6 +670,9 @@
 					if ((msgsock = accept(tcpsock,
 					    (struct sockaddr *)&inetpeer, &len)) < 0) {
 						syslog(LOG_ERR, "accept failed: %m");
+						if (errno == ECONNABORTED ||
+						    errno == EINTR)
+							continue;
 						nfsd_exit(1);
 					}
 					memset(inetpeer.sin_zero, 0,
@@ -688,6 +693,9 @@
 					    &len)) < 0) {
 						syslog(LOG_ERR,
 						     "accept failed: %m");
+						if (errno == ECONNABORTED ||
+						    errno == EINTR)
+							continue;
 						nfsd_exit(1);
 					}
 					if (setsockopt(msgsock, SOL_SOCKET,



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Jan 10 17:29:22 PST 2004 
Responsible-Changed-Why:  
Committed as src/usr.sbin/nfsd/nfsd.c:1.29.  Will MFC after a couple 
of weeks.  Thanks for the patch! 


http://www.freebsd.org/cgi/query-pr.cgi?pr=61084 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Sun May 2 15:19:17 PDT 2004 
State-Changed-Why:  
This change was MFC'd on 2004/03/30 as src/sbin/nfsd.c:1.15.2.2. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=61084 

From: Robert Watson <rwatson@FreeBSD.org>
To: Phil Brennan <phil.brennan@gmail.com>
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: bin/61084: nfsd sometimes exits prematurely during port-scan
Date: Tue, 23 Nov 2004 23:43:46 +0000 (GMT)

 On Tue, 23 Nov 2004, Phil Brennan wrote:
 
 > The fix for this has not been committed to RELENG_5_2. 
 > src/usr.sbin/nfsd/nfsd.c is still at 1.28, when it should be 1.29.  This
 > is very unfortunate, as it allows a denial of service simply by running
 > nmap against the box. Could this be committed to this branch also, as
 > there are quite a lot of people still running 5.2.1.  Thanks. ( Just got
 > bitten by this today )  Regards,
 
 I'll put in a request to the re@ team to get this merged ASAP.  Thanks for
 the pointer, and sorry about not having merged it there previously!
 
 Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
 robert@fledge.watson.org      Principal Research Scientist, McAfee Research
 
 
 
>Unformatted:
