Date: Sat, 17 Mar 2001 13:05:15 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Matt Dillon <dillon@earth.backplane.com> Cc: Paul Herman <pherman@frenchfries.net>, "ho-sang, yoon" <tsoi@xocah.holywar.net>, freebsd-security@FreeBSD.ORG, Kris Kennaway <kris@obsecurity.org> Subject: Re: Multiple vendors FTP denial of service (fwd) Message-ID: <20010317130515.A20798@ringworld.oblivion.bg> In-Reply-To: <200103162116.f2GLGm674347@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Mar 16, 2001 at 01:16:48PM -0800 References: <Pine.BSF.4.33.0103162158140.10083-100000@husten.security.at12.de> <200103162116.f2GLGm674347@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 16, 2001 at 01:16:48PM -0800, Matt Dillon wrote: > :> > :> I don't think that the resourse limit does effect on this matter. > :> Or, am I something wrong? > : > :I, too, had thought that "max memory size" (or RLIMIT_RSS) would have > :kicked in, but it didn't. However, what does work is setting the > :"datasize" (RLIMIT_DATA), which will kill ftpd when "SIZE" exceeds > :RLIMIT_DATA. > : > :Now I'm wondering about RLIMIT_RSS, i.e. the amount of memory in core. > :I'm perusing through sys/vm now... > : > :-Paul. > > The 'datasize' limit (RLIMIT_DATA) only applies to malloc(). It does > not apply to mmap(). This is a known issue. In anycase, it would depend > on what ftpd uses. I would expect ftpd to use malloc() for internal > structures and perhaps mmap() (or sendfile()) when reading a file. > > The 'memoryuse' limit (RLIMIT_RSS) only applies to the process'es > in-core size. If the process exceeds this value and the machine is > loaded down, the kernel will attempt to swap pages out to get the > process back within the limit. If the machine is mostly idle, the > kernel ignores this limit. > > Currently we have no resource to limit mmap() use. I think in this case it's important to limit exactly malloc(), and definitely NOT mmap(). It's glob(3) that's causing this particular DoS, and it (or, in particular, lib/libc/gen/glob.c's globextend()) uses malloc(). We definitely do not want to limit the maximum filesize that ftpd can transfer - which uses sendfile(); I do not know where sendfile() gets its limits from, but being a syscall, it should not be dependent on RLIMIT_DATA. (well, OK, you probably know what I mean :) G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010317130515.A20798>