https://bugzilla.novell.com/show_bug.cgi?id=670431 https://bugzilla.novell.com/show_bug.cgi?id=670431#c0 Summary: DoS in Winbind and smbd with many file descriptors open Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Samba AssignedTo: security-team@suse.de ReportedBy: lmuelle@novell.com QAContact: samba-maintainers@SuSE.de CC: security-team@suse.de, samba@suse.de Found By: Community User Blocker: No From: Volker Lendecke <Volker.Lendecke@SerNet.DE> In a real customer situation I've seen winbind going berserk. It did a 100% CPU loop between select and read. Customer opened a case with RH because we believed the kernel was wrong, but it turned out that winbind had socket 1050 open. How to reproduce this? Start winbind, wbinfo -t, unplug the network cable (or the DC's one) and fire 2000 wbinfo -t processes. No, the winbind client limit does not protect us, this only kicks in for idle clients. We never kill clients that have requests open. While not having finished the conversion to epoll in S3 I think we need to switch to the inefficient poll. It's a lot less intrusive than I thought. The attached patch (I've only mildly tested winbind, no smbd yet) converts winbind and smbd to use poll. I would guess poll is pretty portable, at least it's defined my version of susv3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.