[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserve DoS attack (1.7.8)

From: Boris Lytochkin <lytboris_at_yandex-team.ru>
Date: Wed, 15 May 2013 14:08:57 +0400

Hi.

It is possible to force svnserve daemon to exit using trivial (and valid) TCP session:
14:04:18.277961 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [S], seq 3296066821, win 17880, options [mss 1220,nop,nop,sackOK,nop,wscale 7], length 0
14:04:18.278001 IP6 fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690 > fdef::1.34130: Flags [S.], seq 2136980559, ack 3296066822, win 65535, options [mss 1220,nop,wscale 6,sackOK,eol], length 0
14:04:18.278081 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [.], ack 1, win 140, length 0
14:04:18.278112 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [R.], seq 1, ack 1, win 140, length 0

There is a possibility that apr_socket_accept() will return ECONNABORTED for such connection attempt.
[16:03:57]:
/usr/ports/devel/subversion/work/subversion-1.7.8/subversion/svn>/usr/local/bin/svnserve --foreground -d -R -r /home/freebsd-svn
svnserve: E000053: Can't accept client connection: Software caused connection abort
[16:30:01]:

Patch against this situation is trivial enough:
--- subversion/svnserve/main.c~ 2012-10-16 08:03:13.000000000 +0400
+++ subversion/svnserve/main.c 2013-05-15 13:51:13.887976422 +0400
@@ -928,7 +928,7 @@
                                           connection_pool) == APR_CHILD_DONE)
              ;
          }
- if (APR_STATUS_IS_EINTR(status))
+ if (APR_STATUS_IS_EINTR(status) || APR_STATUS_IS_ECONNABORTED(status))
          {
            svn_pool_destroy(connection_pool);
            continue;

p/s. This e-mail must be treated as VALIDATION e-mail per http://subversion.apache.org/reporting-issues.html bug reporting guide.

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671
Received on 2013-05-15 12:24:35 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.