2996. [security] Temporarily disable SO_ACCEPTFILTER support.

                        [RT #22589]

diff --git a/CHANGES b/CHANGES
index 71daa10bab30d02f5ce56f56a29e370d14ca0f35..4195b38e48e65ec36c0ef27f8f9e099e9d061421 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2996.  [security]      Temporarily disable SO_ACCEPTFILTER support.
+                       [RT #22589]
+
 2995.  [bug]           The Kerberos realm was not being correctly extracted
                        from the signer's identity. [RT #22770]
 

diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 7fa9b2e977b102173a9e74cbd4ed3aeca8640d07..7fd49ae3439a0a712b2d236b5176811c00316f57 100644 (file)
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.308.12.16 2010/12/03 22:03:41 each Exp $ */
+/* $Id: socket.c,v 1.308.12.17 2010/12/22 03:28:13 marka Exp $ */
 
 /*! \file */
 
@@ -4738,9 +4738,16 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
        return (ISC_R_SUCCESS);
 }
 
+/*
+ * Enable this only for specific OS versions, and only when they have repaired
+ * their problems with it.  Until then, this is is broken and needs to be
+ * diabled by default.  See RT22589 for details.
+ */
+#undef ENABLE_ACCEPTFILTER
+
 isc_result_t
 isc_socket_filter(isc_socket_t *sock, const char *filter) {
-#ifdef SO_ACCEPTFILTER
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
        char strbuf[ISC_STRERRORSIZE];
        struct accept_filter_arg afa;
 #else
@@ -4750,7 +4757,7 @@ isc_socket_filter(isc_socket_t *sock, const char *filter) {
 
        REQUIRE(VALID_SOCKET(sock));
 
-#ifdef SO_ACCEPTFILTER
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
        bzero(&afa, sizeof(afa));
        strncpy(afa.af_name, filter, sizeof(afa.af_name));
        if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,