Bugs item #1685000, was opened at 2007-03-21 10:15
Message generated for change (Comment added) made by billiejoex
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1685000&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.5
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: billiejoex (billiejoex)
Assigned to: Nobody/Anonymous (nobody)
Summary: DoS asyncore vulnerability
Initial Comment:
DoS asyncore vulnerability
asyncore, independently if used with select() or poll(), suffers a DoS-type
vulnerability when a high number of simultaneous connections to handle
simultaneously is reached.
The number of maximum connections is system-dependent as well as the type of
error raised.
I attached two simple Proof of Concept scripts demonstrating such bug.
If you want to try the behaviours listed below run the attached
"asyncore_server.py" and "asyncore_client.py" scripts on your local workstation.
On my Windows XP system (Python 2.5), independently if asyncore has been used
to develop a server or a client, the error is raised by select() inside
asyncore's "poll" function when 512 (socket_map's elements) simultaneous
connections are reached.
Here's the traceback I get:
[...]
connections: 510
connections: 511
connections: 512
Traceback (most recent call last):
File "C:\scripts\asyncore_server.py", line 38, in <module>
asyncore.loop()
File "C:\Python25\lib\asyncore.py", line 191, in loop
poll_fun(timeout, map)
File "C:\Python25\lib\asyncore.py", line 121, in poll
r, w, e = select.select(r, w, e, timeout)
ValueError: too many file descriptors in select()
On my Linux Ubuntu 6.10 (kernel 2.6.17-10, Python 2.5) different type of errors
are raised depending on the application (client or server).
In an asyncore-based client the error is raised by socket module (dispatcher's
"self.socket" attribute) inside 'connect' method of 'dispatcher' class:
[...]
connections: 1018
connections: 1019
connections: 1020
connections: 1021
Traceback (most recent call last):
File "asyncore_client.py", line 31, in <module>
File "asyncore.py", line 191, in loop
File "asyncore.py", line 138, in poll
File "asyncore.py", line 80, in write
File "asyncore.py", line 76, in write
File "asyncore.py", line 395, in handle_write_event
File "asyncore_client.py", line 24, in handle_connect
File "asyncore_client.py", line 9, in __init__
File "asyncore.py", line 257, in create_socket
File "socket.py", line 156, in __init__
socket.error: (24, 'Too many open files')
On an asyncore-based server the error is raised by socket module (dispatcher's
"self.socket" attribute) inside 'accept' method of 'dispatcher' class:
[...]
connections: 1019
connections: 1020
connections: 1021
Traceback (most recent call last):
File "asyncore_server.py", line 38, in <module>
File "asyncore.py", line 191, in loop
File "asyncore.py", line 132, in poll
File "asyncore.py", line 72, in read
File "asyncore.py", line 68, in read
File "asyncore.py", line 384, in handle_read_event
File "asyncore_server.py", line 16, in handle_accept
File "asyncore.py", line 321, in accept
File "socket.py", line 170, in accept
socket.error: (24, 'Too many open files')
----------------------------------------------------------------------
>Comment By: billiejoex (billiejoex)
Date: 2007-03-29 16:03
Message:
Logged In: YES
user_id=1357589
Originator: YES
> The problem is that there's no portable way to know what the limit
> on file descriptors is.
Why don't put a try/except statement before creating a new socket's
file-descriptor?
I believe that such problem shouldn't be understimated.
Actually asyncore is the only asynchronous module present in Python's
stdlib.
If asyncore suffers a DoS vulnerability it just means that writing a
secure client/server application with Python without using a third-party
library isn't possible.
I wrote a modified version of asyncore that solves the problem with select
(affecting Windows) but still can't find a way to solve the problem with
socket's file-descriptors (affecting Unix).
----------------------------------------------------------------------
Comment By: Sam Rushing (rushing)
Date: 2007-03-23 20:59
Message:
Logged In: YES
user_id=73736
Originator: NO
The problem is that there's no portable way to know what the limit
on file descriptors is. The 'classic' for select/poll is the FD_SETSIZE
macro. But on some operating systems there is no such limit. [e.g.,
win32
does not use the 'lowest-free-int' model common to unix].
I believe that in Medusa there was a derived class or extension that
counted
the number of open sockets, and limited it, using something like a
semaphore.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1685000&group_id=5470
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
