Commit 79344b97 authored by Mark Andrews's avatar Mark Andrews
Browse files

2996. [security] Temporarily disable SO_ACCEPTFILTER support.

                        [RT #22589]
parent 179e028b
2996. [security] Temporarily disable SO_ACCEPTFILTER support.
[RT #22589]
2995. [bug] The Kerberos realm was not being correctly extracted 2995. [bug] The Kerberos realm was not being correctly extracted
from the signer's identity. [RT #22770] from the signer's identity. [RT #22770]
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: socket.c,v 1.332 2010/12/03 22:05:19 each Exp $ */ /* $Id: socket.c,v 1.333 2010/12/22 03:08:36 marka Exp $ */
/*! \file */ /*! \file */
...@@ -4995,10 +4995,17 @@ isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr, ...@@ -4995,10 +4995,17 @@ isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
/*
* Enable this only for specific OS versions, and only when they have repaired
* their problems with it. Until then, this is is broken and needs to be
* diabled by default. See RT22589 for details.
*/
#undef ENABLE_ACCEPTFILTER
ISC_SOCKETFUNC_SCOPE isc_result_t ISC_SOCKETFUNC_SCOPE isc_result_t
isc__socket_filter(isc_socket_t *sock0, const char *filter) { isc__socket_filter(isc_socket_t *sock0, const char *filter) {
isc__socket_t *sock = (isc__socket_t *)sock0; isc__socket_t *sock = (isc__socket_t *)sock0;
#ifdef SO_ACCEPTFILTER #if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
char strbuf[ISC_STRERRORSIZE]; char strbuf[ISC_STRERRORSIZE];
struct accept_filter_arg afa; struct accept_filter_arg afa;
#else #else
...@@ -5008,7 +5015,7 @@ isc__socket_filter(isc_socket_t *sock0, const char *filter) { ...@@ -5008,7 +5015,7 @@ isc__socket_filter(isc_socket_t *sock0, const char *filter) {
REQUIRE(VALID_SOCKET(sock)); REQUIRE(VALID_SOCKET(sock));
#ifdef SO_ACCEPTFILTER #if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
bzero(&afa, sizeof(afa)); bzero(&afa, sizeof(afa));
strncpy(afa.af_name, filter, sizeof(afa.af_name)); strncpy(afa.af_name, filter, sizeof(afa.af_name));
if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER, if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment