On Mon, 17 Jul 2017 at 08:58:21 -0700, David Miller wrote:
> > With all of this in mind, lets drop the recursion limit. It has no
> > additional security value, anymore. On the contrary, it randomly
> > confuses message brokers that try to forward file-descriptors, since
> > any sendmsg(2) call can fail spuriously with ETOOMANYREFS if a client
> > maliciously modifies the FD while inflight.
>
> Applied, thanks.
I assume I was cc'd on this as a maintainer of one of the message
brokers that handles ETOOMANYREFS (dbus-daemon).
dbus-daemon will have to keep its current handling of ETOOMANYREFS
(namely dropping the message on the floor) for at least a few years,
to avoid re-introducing local denial of service CVE-2014-3532 on kernels
older than the one where you applied this; so please try to avoid reusing
ETOOMANYREFS for any new sendmsg() error condition where this would not
be an appropriate response.
Thanks,
S
