Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by krbdev.mit.edu (8.9.3p2) with ESMTP id UAA13756; Wed, 14 Feb 2007 20:15:23 -0500 (EST) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id l1F1FE4d013445; Wed, 14 Feb 2007 20:15:14 -0500 (EST) Received: from [69.25.196.99] (laptop.raeburn.org [69.25.196.99]) (authenticated bits=0) (User authenticated as raeburn@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id l1F1EvYp007808 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 14 Feb 2007 20:14:58 -0500 (EST) In-Reply-To: References: MIME-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8E7DCD4B-FA95-4948-95B3-C8A983D83495@mit.edu> Content-Transfer-Encoding: 7bit From: Ken Raeburn Subject: Re: [krbdev.mit.edu #5440] sendto_kdc() not signal safe, doesn't respond well to staggered TCP responses. Date: Wed, 14 Feb 2007 20:14:53 -0500 To: rt@krbdev.mit.edu X-Mailer: Apple Mail (2.752.2) X-Scanned-BY: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1975 On Feb 14, 2007, at 18:53, Public Submitter via RT wrote: >> From code inspection sendto_kdc() is fundamentally flawed insofar as > it assumes that when select(2) returns, it has consumed all of the > time that it was allotted. This is incorrect in two cases: We should be going back into the select call unless krb5int_cm_call_select returns zero *and* sets *sret to 0. > 1. if the process catches signals then select(2) will return > EINTR, and It looks like that won't be handled properly, true... probably the call_select routine should check for that, and just try calling select again. > 2. while processing a TCP connexion, select(2) can return true > but the subsequent read will not contain enough data to > complete the request. > In both cases, it appears from code inspection that sendto_kdc() will > proceed to either send a new UDP packet or start a new TCP connexion > assuming that the specified delay was entirely consumed. The while loop in service_fds should continue until: 1) all open file descriptors have been closed (selstate->nfds) 2) krb5int_cm_call_select returns nonzero, which indicates an error return from gettimeofday or select (including, yes, EINTR) 3) krb5int_cm_call_select returns zero but sets *sret (number of ready fds) to 0, which should happen only when the specified end time is reached 4) the fd service routine returns nonzero, which for the TCP sockets should only be if the full message is received If an incomplete message is received, and there's still time left, we should wind up back in the select call. > In a worst > case scenario, e.g. a process that spawns and catches lots of kids, > the loop might exit prematurely with an error. > > Actually, it looks like if select(2) returns EINTR then the entire > loop punts returning an error. In short, this means that processes > cannot both process signals and reliably use Kerberos... Yeah, that's a bug... Ken