ASF Bugzilla – Attachment 35048 Details for
Bug 61179
TTLimit directive to set maximum allowed IP_TTL
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
TTLimit directive
file_61179.txt (text/plain), 3.74 KB, created by
Donatas Abraitis
on 2017-06-13 08:30:33 UTC
(
hide
)
Description:
TTLimit directive
Filename:
MIME Type:
Creator:
Donatas Abraitis
Created:
2017-06-13 08:30:33 UTC
Size:
3.74 KB
patch
obsolete
>commit 71c5147ae4365b4858609358dc183380730cee77 >Author: ton31337 <donatas.abraitis@gmail.com> >Date: Mon Jun 12 17:36:13 2017 +0300 > > Add `TTLimit` security check feature > >diff --git a/include/ap_listen.h b/include/ap_listen.h >index 58c2574..e20c566 100644 >--- a/include/ap_listen.h >+++ b/include/ap_listen.h >@@ -133,6 +133,7 @@ AP_DECLARE_NONSTD(int) ap_close_selected_listeners(ap_slave_t *); > * LISTEN_COMMANDS in their command_rec table so that these functions are > * called. > */ >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, >@@ -144,6 +145,8 @@ AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, > const char *arg); > > #define LISTEN_COMMANDS \ >+AP_INIT_TAKE1("TTLimit", ap_set_ttl_limit, NULL, RSRC_CONF, \ >+ "Maximum TTL value which will be accepted"), \ > AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \ > "Maximum length of the queue of pending connections, as used by listen(2)"), \ > AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF, \ >diff --git a/server/listen.c b/server/listen.c >index 98cd117..db2564e 100644 >--- a/server/listen.c >+++ b/server/listen.c >@@ -55,6 +55,7 @@ static ap_listen_rec **ap_listen_buckets; > AP_DECLARE_DATA int ap_have_so_reuseport = -1; > > static ap_listen_rec *old_listeners; >+static int ap_ttl_limit; > static int ap_listenbacklog; > static int ap_listencbratio; > static int send_buffer_size; >@@ -186,6 +187,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) > return stat; > } > >+ if (ap_ttl_limit) { >+ int thesock; >+ apr_os_sock_get(&thesock, s); >+ if (setsockopt(thesock, IPPROTO_IP, IP_TTL, >+ &ap_ttl_limit, sizeof(int)) < 0) { >+ stat = apr_get_netos_error(); >+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02638) >+ "make_sock: for address %pI, apr_socket_opt_set: " >+ "(IP_TTL)", >+ server->bind_addr); >+ apr_socket_close(s); >+ return stat; >+ } >+ } >+ > #ifdef WIN32 > /* I seriously doubt that this would work on Unix; I have doubts that > * it entirely solves the problem on Win32. However, since setting >@@ -758,6 +774,7 @@ AP_DECLARE(void) ap_listen_pre_config(void) > ap_listen_buckets = NULL; > ap_num_listen_buckets = 0; > ap_listenbacklog = DEFAULT_LISTENBACKLOG; >+ ap_ttl_limit = 0; > ap_listencbratio = 0; > > /* Check once whether or not SO_REUSEPORT is supported. */ >@@ -863,6 +880,26 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, > return NULL; > } > >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, >+ void *dummy, >+ const char *arg) >+{ >+ int b; >+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); >+ >+ if (err != NULL) { >+ return err; >+ } >+ >+ b = atoi(arg); >+ if (b < 1 || b > 255) { >+ return "TTLimit > 0 and TTLimit < 255"; >+ } >+ >+ ap_ttl_limit = b; >+ return NULL; >+} >+ > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, > void *dummy, > const char *arg)
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 61179
:
35048
|
37264
|
37265
|
37267