[cvsnt] cvs sserver protocol problem while forcing encryption - patch

Stellars Henson stellars at interia.pl
Mon May 8 01:11:16 BST 2006 

Hello. I have experienced several problems running commands under 
sserver protocol, while forcing encryption either using -x switch and
setting EncryptionLevel=4. The examplar cvsroot looked like:
:sserver:stell@<host>:/cvs 

the errorous behaviour was:
a. when rlimit_stack set to standard value (8M)
cvsnt server crashed with:
May  7 21:29:26 behemot kernel: grsec: From 213.134.177.211: denied resource overstep by requesting 8429568 for RLIMIT_STACK against limit 8388608 for /usr/bin/cvsnt
[cvsnt:9271] uid/euid:1025/1025 gid/egid:1025/1025, parent /usr/sbin/xinetd[xinetd:18194] uid/euid:0/0 gid/egid:0/0                                                  
May  7 21:29:45 behemot cvsnt: Write data failed (5): Server dropped connection.                                                                                     
May  7 21:29:45 behemot last message repeated 18 times                                                                                                               

the problem occured while file to download from repository was large (big pdf)

b. when rlimit_Stack set to above 128M
cvsnt server runs 100% cpu and if rlimit_stack set to unlimited - eats ram and swap space

messages:
May  7 21:38:24 behemot cvsnt: Write data failed (1): error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry                                                 
May  7 21:38:55 behemot last message repeated 1067 times                                                                                                             
May  7 21:39:51 behemot last message repeated 1050 times                                     


the problem occurs only when using sserver connection with forced encryption.
I've managed to overcome the problem using some code enchancements in client.cpp
Sending the patch, it simply disables forced encryption while using sserver ....

-- 
Stell
-------------- next part --------------
diff -uNr cvsnt-2.5.03.2260-old/src/client.cpp cvsnt-2.5.03.2260/src/client.cpp
--- cvsnt-2.5.03.2260-old/src/client.cpp	2006-02-16 22:47:27.000000000 +0100
+++ cvsnt-2.5.03.2260/src/client.cpp	2006-05-08 01:54:59.000000000 +0200
@@ -3659,7 +3659,8 @@
     if (status ! 		error (1, status, "writing to server");
 
-	if (cvsencrypt && rootless_encryption)
+	//cover sserver encryption bug - turn off encryption if method is sserver
+	if (cvsencrypt && rootless_encryption && strcasecmp(current_parsed_root->method,"sserver") ) {
 	{
 		/* Turn on encryption before turning on compression.  We do
 		not want to try to compress the encrypted stream.  Instead,
@@ -3731,7 +3732,8 @@
 	}
 	}
 
-	if (cvsauthenticate && !cvsencrypt && rootless_encryption)
+	//cover sserver encryption bug - turn off encryption if method is sserver
+	if (cvsauthenticate && (!cvsencrypt || strcasecmp(current_parsed_root->method,"sserver")) && rootless_encryption) {
 	{
 		/* Turn on authentication after turning on compression, so
 		that we can compress the authentication information.  We

More information about the cvsnt mailing list