http://bugzilla.spamassassin.org/show_bug.cgi?id=3782
Summary: Spamd is not using timeouts on sockets - Possible DoS
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P5
Component: spamc/spamd
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Hello,
if client connection is broken during mail upload to spamd (after request
header), spamd will keep the connection for undef period of time (arch
dependent), which may cause DoS against spamd (if -m is defined) and/or complete
machine DoS (if -m is undef, or is set to a high value).
Versions 2.6x and 3.0x suffer from this on various Linux and Windows versions,
possibly other
However, seems that 2.6x has it's own select calls, so it's possible to avoid
DoS.
3.0x completly relies upon IO::Socket / IO::Handle modules for timeout values on
I/O. IO::Socket doesn't actually implement timeouts (code is commented), and
IO::Handle, since using "struct FILE", isn't supposed to implement.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
