Bug #29579 Clients using SSL can hang the server
Submitted: 5 Jul 2007 20:31 Modified: 23 Jul 2007 2:54
Reporter: Damien Katz
Status: Closed
Category:Server: General Severity:S1 (Critical)
Version:5.0.46 OS:Any
Assigned to: Bugs System Target Version:

[5 Jul 2007 20:31] Damien Katz 
Description:
Because mysqld holds a lock during socket shutdown and SSL does a special handshake where
it sends "close_notify" messages, we are vunerable to an attack where a client can cause
the server to hang by causing the socket to block indefinitely while the server is
attempting to shutdown the socket.

This is related to bug#22993, where the hang can occur while the master server is shutting
a connection to a SSL connected slave that is blocked. This bug has been created because
of the discovery the hang can come from any SSL connected client, which is a serious DOS
vunerability.

How to repeat:
Note, the following test requires changes to client/mysqltest that aren't shown (the
addition of the send_quit and the ability to open and close an unlimited number of
connections):

connect (ssl_con,localhost,root,,,,,SSL);

create table t1 (a int);

disconnect ssl_con;

let $count= 2000;
while ($count)
{

  connect (ssl_con,localhost,root,,,,,SSL);

  eval insert into t1 values ($count);
  
  dec $count;
  
  send select * from t1;
  send_quit ssl_con;
  
  # if the server is hung, this will hang too:
  connect (ssl_con2,localhost,root,,,,,SSL);
  
  # no hang if we get here, close and retry
  disconnect ssl_con2;
  
  disconnect ssl_con;
}
[5 Jul 2007 21:02] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30404

ChangeSet@1.2507, 2007-07-05 15:01:29-04:00, dkatz@damien-katzs-computer.local +7 -0
  Bug #29579  Clients using SSL can hang the server
  
  Added an option to yassl to allow "quiet shutdown" like openssl does. This option causes
the SSL libs to NOT perform the close_notify handshake during shutdown. This fixes a hang
we experience because we hold a lock during socket shutdown.
[13 Jul 2007 4:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30856

ChangeSet@1.2507, 2007-07-12 22:06:33-04:00, dkatz@damien-katzs-computer.local +9 -0
  Bug #29579  Clients using SSL can hang the server
  
  Added an option to yassl to allow "quiet shutdown" like openssl does. This option causes
the SSL libs to NOT perform the close_notify handshake during shutdown. This fixes a hang
we experience because we hold a lock during socket shutdown.
[13 Jul 2007 6:46] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30857

ChangeSet@1.2530, 2007-07-13 00:45:54-04:00, dkatz@damien-katzs-computer.local +5 -0
  Minor fixes for test failures and compiler warnings for Bug #29579.
[13 Jul 2007 7:55] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30858

ChangeSet@1.2531, 2007-07-13 01:55:04-04:00, dkatz@damien-katzs-computer.local +1 -0
  When opening a new connecgtion, changed mysqltest to prefer a brand new connection slot
over an existing, closed slot. Fixes a problem with reused slots that can cause tests to
fail. bug#29579
[13 Jul 2007 19:00] Damien Katz 
Marked as a duplicate of this bug is Bug #22993 "Master hangs in SSL replication when the
slave runs out of disk space".
[19 Jul 2007 17:48] Bugs System 
Pushed into 5.1.21-beta
[19 Jul 2007 17:49] Bugs System 
Pushed into 5.0.48
[23 Jul 2007 2:54] Paul DuBois 
Noted in 5.0.48, 5.1.21 changelogs.

Clients using SSL can hang the server.