Bug #29579 Clients using SSL can hang the server
Submitted: 5 Jul 2007 18:31 Modified: 23 Jul 2007 0:54
Reporter: Damien Katz Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.46 OS:Any
Assigned to: Damien Katz CPU Architecture:Any

[5 Jul 2007 18:31] Damien Katz
Description:
Because mysqld holds a lock during socket shutdown and SSL does a special handshake where it sends "close_notify" messages, we are vunerable to an attack where a client can cause the server to hang by causing the socket to block indefinitely while the server is attempting to shutdown the socket.

This is related to bug#22993, where the hang can occur while the master server is shutting a connection to a SSL connected slave that is blocked. This bug has been created because of the discovery the hang can come from any SSL connected client, which is a serious DOS vunerability.

How to repeat:
Note, the following test requires changes to client/mysqltest that aren't shown (the addition of the send_quit and the ability to open and close an unlimited number of connections):

connect (ssl_con,localhost,root,,,,,SSL);

create table t1 (a int);

disconnect ssl_con;

let $count= 2000;
while ($count)
{

  connect (ssl_con,localhost,root,,,,,SSL);

  eval insert into t1 values ($count);
  
  dec $count;
  
  send select * from t1;
  send_quit ssl_con;
  
  # if the server is hung, this will hang too:
  connect (ssl_con2,localhost,root,,,,,SSL);
  
  # no hang if we get here, close and retry
  disconnect ssl_con2;
  
  disconnect ssl_con;
}
[5 Jul 2007 19:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30404

ChangeSet@1.2507, 2007-07-05 15:01:29-04:00, dkatz@damien-katzs-computer.local +7 -0
  Bug #29579  Clients using SSL can hang the server
  
  Added an option to yassl to allow "quiet shutdown" like openssl does. This option causes the SSL libs to NOT perform the close_notify handshake during shutdown. This fixes a hang we experience because we hold a lock during socket shutdown.
[13 Jul 2007 2:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30856

ChangeSet@1.2507, 2007-07-12 22:06:33-04:00, dkatz@damien-katzs-computer.local +9 -0
  Bug #29579  Clients using SSL can hang the server
  
  Added an option to yassl to allow "quiet shutdown" like openssl does. This option causes the SSL libs to NOT perform the close_notify handshake during shutdown. This fixes a hang we experience because we hold a lock during socket shutdown.
[13 Jul 2007 4:46] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30857

ChangeSet@1.2530, 2007-07-13 00:45:54-04:00, dkatz@damien-katzs-computer.local +5 -0
  Minor fixes for test failures and compiler warnings for Bug #29579.
[13 Jul 2007 5:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30858

ChangeSet@1.2531, 2007-07-13 01:55:04-04:00, dkatz@damien-katzs-computer.local +1 -0
  When opening a new connecgtion, changed mysqltest to prefer a brand new connection slot over an existing, closed slot. Fixes a problem with reused slots that can cause tests to fail. bug#29579
[13 Jul 2007 17:00] Damien Katz
Marked as a duplicate of this bug is Bug #22993 "Master hangs in SSL replication when the slave runs out of disk space".
[19 Jul 2007 15:48] Bugs System
Pushed into 5.1.21-beta
[19 Jul 2007 15:49] Bugs System
Pushed into 5.0.48
[23 Jul 2007 0:54] Paul DuBois
Noted in 5.0.48, 5.1.21 changelogs.

Clients using SSL can hang the server.