[ python-Bugs-1685000 ] DoS asyncore vulnerability
SourceForge.net
noreply at sourceforge.net
Fri Mar 23 20:59:34 CET 2007
Bugs item #1685000, was opened at 2007-03-21 02:15
Message generated for change (Comment added) made by rushing
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1685000&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.5
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: billiejoex (billiejoex)
Assigned to: Nobody/Anonymous (nobody)
Summary: DoS asyncore vulnerability
Initial Comment:
DoS asyncore vulnerability
asyncore, independently if used with select() or poll(), suffers a DoS-type vulnerability when a high number of simultaneous connections to handle simultaneously is reached.
The number of maximum connections is system-dependent as well as the type of error raised.
I attached two simple Proof of Concept scripts demonstrating such bug.
If you want to try the behaviours listed below run the attached "asyncore_server.py" and "asyncore_client.py" scripts on your local workstation.
On my Windows XP system (Python 2.5), independently if asyncore has been used to develop a server or a client, the error is raised by select() inside asyncore's "poll" function when 512 (socket_map's elements) simultaneous connections are reached.
Here's the traceback I get:
[...]
connections: 510
connections: 511
connections: 512
Traceback (most recent call last):
File "C:\scripts\asyncore_server.py", line 38, in <module>
asyncore.loop()
File "C:\Python25\lib\asyncore.py", line 191, in loop
poll_fun(timeout, map)
File "C:\Python25\lib\asyncore.py", line 121, in poll
r, w, e = select.select(r, w, e, timeout)
ValueError: too many file descriptors in select()
On my Linux Ubuntu 6.10 (kernel 2.6.17-10, Python 2.5) different type of errors are raised depending on the application (client or server).
In an asyncore-based client the error is raised by socket module (dispatcher's "self.socket" attribute) inside 'connect' method of 'dispatcher' class:
[...]
connections: 1018
connections: 1019
connections: 1020
connections: 1021
Traceback (most recent call last):
File "asyncore_client.py", line 31, in <module>
File "asyncore.py", line 191, in loop
File "asyncore.py", line 138, in poll
File "asyncore.py", line 80, in write
File "asyncore.py", line 76, in write
File "asyncore.py", line 395, in handle_write_event
File "asyncore_client.py", line 24, in handle_connect
File "asyncore_client.py", line 9, in __init__
File "asyncore.py", line 257, in create_socket
File "socket.py", line 156, in __init__
socket.error: (24, 'Too many open files')
On an asyncore-based server the error is raised by socket module (dispatcher's "self.socket" attribute) inside 'accept' method of 'dispatcher' class:
[...]
connections: 1019
connections: 1020
connections: 1021
Traceback (most recent call last):
File "asyncore_server.py", line 38, in <module>
File "asyncore.py", line 191, in loop
File "asyncore.py", line 132, in poll
File "asyncore.py", line 72, in read
File "asyncore.py", line 68, in read
File "asyncore.py", line 384, in handle_read_event
File "asyncore_server.py", line 16, in handle_accept
File "asyncore.py", line 321, in accept
File "socket.py", line 170, in accept
socket.error: (24, 'Too many open files')
----------------------------------------------------------------------
Comment By: Sam Rushing (rushing)
Date: 2007-03-23 12:59
Message:
Logged In: YES
user_id=73736
Originator: NO
The problem is that there's no portable way to know what the limit
on file descriptors is. The 'classic' for select/poll is the FD_SETSIZE
macro. But on some operating systems there is no such limit. [e.g.,
win32
does not use the 'lowest-free-int' model common to unix].
I believe that in Medusa there was a derived class or extension that
counted
the number of open sockets, and limited it, using something like a
semaphore.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1685000&group_id=5470
More information about the Python-bugs-list
mailing list