Tree - rpms/chrony - src.fedoraproject.org

lkundrak / rpms / chrony

Forked from rpms/chrony 4 years ago

Blame chrony-1.23-syslograte.patch

Blob History Raw

		83b78ef	`From 0b710499f994823bd938fc6895f097eefb9cc59f Mon Sep 17 00:00:00 2001`
		83b78ef	`From: Miroslav Lichvar <mlichvar@redhat.com>`
		83b78ef	`Date: Wed, 13 Jan 2010 19:02:07 +0100`
		83b78ef	`Subject: [PATCH 2/3] Limit rate of syslog messages`
		83b78ef
		83b78ef	`Error messages caused by incoming packets need to be rate limited`
		83b78ef	`to avoid filling up disk space.`
		83b78ef	`---`
		83b78ef	`cmdmon.c \| 22 +++++++++++-----------`
		83b78ef	`logging.c \| 18 ++++++++++++++++++`
		83b78ef	`logging.h \| 3 +++`
		83b78ef	`ntp_core.c \| 4 ++--`
		83b78ef	`ntp_io.c \| 6 ++++--`
		83b78ef	`5 files changed, 38 insertions(+), 15 deletions(-)`
		83b78ef
		83b78ef	`diff --git a/cmdmon.c b/cmdmon.c`
		83b78ef	`index c9ce0e9..f79d282 100644`
		83b78ef	`--- a/cmdmon.c`
		83b78ef	`+++ b/cmdmon.c`
		83b78ef	`@@ -654,7 +654,7 @@ transmit_reply(CMD_Reply msg, struct sockaddr_in where_to)`
		83b78ef	`status = sendto(sock_fd, (void *) msg, tx_message_length, 0,`
		83b78ef	`(struct sockaddr *) where_to, sizeof(struct sockaddr_in));`
		83b78ef
		83b78ef	`- if (status < 0) {`
		83b78ef	`+ if (status < 0 && !LOG_RateLimited()) {`
		83b78ef	`remote_ip = ntohl(where_to->sin_addr.s_addr);`
		83b78ef	`remote_port = ntohs(where_to->sin_port);`
		83b78ef	`LOG(LOGS_WARN, LOGF_CmdMon, "Could not send response to %s:%hu", UTI_IPToDottedQuad(remote_ip), remote_port);`
		83b78ef	`@@ -1659,7 +1659,9 @@ read_from_cmd_socket(void *anything)`
		83b78ef	`}`
		83b78ef
		83b78ef	`if (read_length != expected_length) {`
		83b78ef	`- LOG(LOGS_WARN, LOGF_CmdMon, "Read incorrectly sized packet from %s:%hu", UTI_IPToDottedQuad(remote_ip), remote_port);`
		83b78ef	`+ if (!LOG_RateLimited()) {`
		83b78ef	`+ LOG(LOGS_WARN, LOGF_CmdMon, "Read incorrectly sized packet from %s:%hu", UTI_IPToDottedQuad(remote_ip), remote_port);`
		83b78ef	`+ }`
		83b78ef	`if (allowed)`
		83b78ef	`CLG_LogCommandAccess(remote_ip, CLG_CMD_BAD_PKT, cooked_now.tv_sec);`
		83b78ef	`/* For now, just ignore the packet. We may want to send a reply`
		83b78ef	`@@ -1673,13 +1675,11 @@ read_from_cmd_socket(void *anything)`
		83b78ef	`regardless of the defined access rules - otherwise, we could`
		83b78ef	`shut ourselves out completely! */`
		83b78ef
		83b78ef	`- /* We ought to find another way to log this, there is an attack`
		83b78ef	`- here against the host because an adversary can just keep`
		83b78ef	`- hitting us with bad packets until our log file(s) fill up. */`
		83b78ef	`-`
		83b78ef	`- LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d",`
		83b78ef	`- UTI_IPToDottedQuad(remote_ip),`
		83b78ef	`- remote_port);`
		83b78ef	`+ if (!LOG_RateLimited()) {`
		83b78ef	`+ LOG(LOGS_WARN, LOGF_CmdMon, "Command packet received from unauthorised host %s port %d",`
		83b78ef	`+ UTI_IPToDottedQuad(remote_ip),`
		83b78ef	`+ remote_port);`
		83b78ef	`+ }`
		83b78ef
		83b78ef	`tx_message.status = htons(STT_NOHOSTACCESS);`
		83b78ef	`transmit_reply(&tx_message, &where_from);`
		83b78ef	`@@ -1764,7 +1764,7 @@ read_from_cmd_socket(void *anything)`
		83b78ef	`tx_message_length = PKL_ReplyLength(prev_tx_message);`
		83b78ef	`status = sendto(sock_fd, (void *) prev_tx_message, tx_message_length, 0,`
		83b78ef	`(struct sockaddr *) &where_from, sizeof(where_from));`
		83b78ef	`- if (status < 0) {`
		83b78ef	`+ if (status < 0 && !LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_CmdMon, "Could not send response to %s:%hu", UTI_IPToDottedQuad(remote_ip), remote_port);`
		83b78ef	`}`
		83b78ef	`return;`
		83b78ef	`@@ -1884,7 +1884,7 @@ read_from_cmd_socket(void *anything)`
		83b78ef
		83b78ef	`case REQ_LOGON:`
		83b78ef	`/* If the log-on fails, record the reason why */`
		83b78ef	`- if (!issue_token) {`
		83b78ef	`+ if (!issue_token && !LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_CmdMon,`
		83b78ef	`"Bad command logon from %s port %d (md5_ok=%d valid_ts=%d)\n",`
		83b78ef	`UTI_IPToDottedQuad(remote_ip),`
		83b78ef	`diff --git a/logging.c b/logging.c`
		83b78ef	`index d432762..8311640 100644`
		83b78ef	`--- a/logging.c`
		83b78ef	`+++ b/logging.c`
		83b78ef	`@@ -40,6 +40,8 @@ static int initialised = 0;`
		83b78ef
		83b78ef	`static int is_detached = 0;`
		83b78ef
		83b78ef	`+static time_t last_limited = 0;`
		83b78ef	`+`
		83b78ef	`#ifdef WINNT`
		83b78ef	`static FILE *logfile;`
		83b78ef	`#endif`
		83b78ef	`@@ -214,3 +216,19 @@ LOG_GoDaemon(void)`
		83b78ef	`}`
		83b78ef
		83b78ef	`/* ================================================== */`
		83b78ef	`+`
		83b78ef	`+int`
		83b78ef	`+LOG_RateLimited(void)`
		83b78ef	`+{`
		83b78ef	`+ time_t now;`
		83b78ef	`+`
		83b78ef	`+ now = time(NULL);`
		83b78ef	`+`
		83b78ef	`+ if (last_limited + 10 > now && last_limited <= now)`
		83b78ef	`+ return 1;`
		83b78ef	`+`
		83b78ef	`+ last_limited = now;`
		83b78ef	`+ return 0;`
		83b78ef	`+}`
		83b78ef	`+`
		83b78ef	`+/* ================================================== */`
		83b78ef	`diff --git a/logging.h b/logging.h`
		83b78ef	`index 6e73dbb..41975ec 100644`
		83b78ef	`--- a/logging.h`
		83b78ef	`+++ b/logging.h`
		83b78ef	`@@ -84,6 +84,9 @@ extern void LOG_Position(const char filename, int line_number, const char func`
		83b78ef
		83b78ef	`extern void LOG_GoDaemon(void);`
		83b78ef
		83b78ef	`+/* Return zero once per 10 seconds */`
		83b78ef	`+extern int LOG_RateLimited(void);`
		83b78ef	`+`
		83b78ef	`/* Line logging macro. If the compiler is GNU C, we take advantage of`
		83b78ef	`being able to get the function name also. */`
		83b78ef	`#if defined(__GNUC__)`
		83b78ef	`diff --git a/ntp_core.c b/ntp_core.c`
		83b78ef	`index 60d433c..9576296 100644`
		83b78ef	`--- a/ntp_core.c`
		83b78ef	`+++ b/ntp_core.c`
		83b78ef	`@@ -1358,7 +1358,7 @@ process_known`
		83b78ef	`&inst->local_ntp_tx,`
		83b78ef	`&inst->remote_addr);`
		83b78ef
		83b78ef	`- } else {`
		83b78ef	`+ } else if (!LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_NtpCore, "NTP packet received from unauthorised host %s port %d",`
		83b78ef	`UTI_IPToDottedQuad(inst->remote_addr.ip_addr),`
		83b78ef	`inst->remote_addr.port);`
		83b78ef	`@@ -1526,7 +1526,7 @@ NCR_ProcessNoauthUnknown(NTP_Packet message, struct timeval now, NTP_Remote_Ad`
		83b78ef	`remote_addr);`
		83b78ef
		83b78ef	`}`
		83b78ef	`- } else {`
		83b78ef	`+ } else if (!LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_NtpCore, "NTP packet received from unauthorised host %s port %d",`
		83b78ef	`UTI_IPToDottedQuad(remote_addr->ip_addr),`
		83b78ef	`remote_addr->port);`
		83b78ef	`diff --git a/ntp_io.c b/ntp_io.c`
		83b78ef	`index afb6ad1..aaa3cbc 100644`
		83b78ef	`--- a/ntp_io.c`
		83b78ef	`+++ b/ntp_io.c`
		83b78ef	`@@ -243,7 +243,8 @@ NIO_SendNormalPacket(NTP_Packet packet, NTP_Remote_Address remote_addr)`
		83b78ef	`remote.sin_addr.s_addr = htonl(remote_addr->ip_addr);`
		83b78ef
		83b78ef	`if (sendto(sock_fd, (void *) packet, NTP_NORMAL_PACKET_SIZE, 0,`
		83b78ef	`- (struct sockaddr *) &remote, sizeof(remote)) < 0) {`
		83b78ef	`+ (struct sockaddr *) &remote, sizeof(remote)) < 0 &&`
		83b78ef	`+ !LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_NtpIO, "Could not send to %s:%d : %s",`
		83b78ef	`UTI_IPToDottedQuad(remote_addr->ip_addr), remote_addr->port, strerror(errno));`
		83b78ef	`}`
		83b78ef	`@@ -266,7 +267,8 @@ NIO_SendAuthenticatedPacket(NTP_Packet packet, NTP_Remote_Address remote_addr)`
		83b78ef	`remote.sin_addr.s_addr = htonl(remote_addr->ip_addr);`
		83b78ef
		83b78ef	`if (sendto(sock_fd, (void *) packet, sizeof(NTP_Packet), 0,`
		83b78ef	`- (struct sockaddr *) &remote, sizeof(remote)) < 0) {`
		83b78ef	`+ (struct sockaddr *) &remote, sizeof(remote)) < 0 &&`
		83b78ef	`+ !LOG_RateLimited()) {`
		83b78ef	`LOG(LOGS_WARN, LOGF_NtpIO, "Could not send to %s:%d : %s",`
		83b78ef	`UTI_IPToDottedQuad(remote_addr->ip_addr), remote_addr->port, strerror(errno));`
		83b78ef	`}`
		83b78ef	`--`
		83b78ef	`1.6.5.2`
		83b78ef

lkundrak / rpms / chrony

Source Code

Blame chrony-1.23-syslograte.patch