fix enforcement of tcp-clients (v1)

tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.

If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.

(cherry picked from commit 9ef6eb4c37ed909c8e2a5508c3b3e510b7b13b85)
(cherry picked from commit 264384fbb9e722dff2d78d48bb00b4f6290bc51c)

diff --git a/lib/ns/client.c b/lib/ns/client.c
index bc1cf7395a8f1ec294f3fd9f1f6e321e5fbf98f0..595a9b7cb4ac6ad8dd080b29d4a23df6226d6f93 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -448,8 +448,19 @@ exit_check(ns_client_t *client) {
                        isc_socket_detach(&client->tcpsocket);
                }
 
-               if (client->tcpquota != NULL)
+               if (client->tcpquota != NULL) {
                        isc_quota_detach(&client->tcpquota);
+               } else {
+                       /*
+                        * We went over quota with this client, we don't
+                        * want to restart listening unless this is the
+                        * last client on this interface, which is
+                        * checked later.
+                        */
+                       if (TCP_CLIENT(client)) {
+                               client->mortal = true;
+                       }
+               }
 
                if (client->timerset) {
                        (void)isc_timer_reset(client->timer,