Debian Bug report logs - #777349
intermittent "size read failed" (clients can lose response data from server)

[Message part 1 (text/plain, inline)]
Package: cyrus-sasl2
Version: 2.1.26.dfsg1-12
Severity: normal
Tags: patch

Under certain conditions (server load? memory pressure?) it was possible
for responses from saslauthd to get lost. The client library sends data
and waits for a response. The server sends a response and immediately
closes the connection without waiting for the connection to flush. The
pending response can get lost (kernel throws it away), leaving the
client to error out with "size read failed". The solution is for the
server to more carefully shut down the socket and wait for the client
to close the connection.

-Kees

-- 
Kees Cook                                            @debian.org

[early-hangup.patch (text/x-diff, attachment)]
[Message part 1 (text/plain, inline)]
Here's an updated patch with proper headers. :)

Also, for background on the solution, see:
http://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-so_linger-page-or-why-is-my-tcp-not-reliable

-- 
Kees Cook                                            @debian.org

[early-hangup.patch (text/x-diff, attachment)]
Kees,

thanks for the patch, I have two questions though:

1) Do you think it's a jessie material?
2) Has it been submitted upstream?

Cheers,
Ondrej

On Sat, Feb 7, 2015, at 16:58, Kees Cook wrote:
> Package: cyrus-sasl2
> Version: 2.1.26.dfsg1-12
> Severity: normal
> Tags: patch
> 
> Under certain conditions (server load? memory pressure?) it was possible
> for responses from saslauthd to get lost. The client library sends data
> and waits for a response. The server sends a response and immediately
> closes the connection without waiting for the connection to flush. The
> pending response can get lost (kernel throws it away), leaving the
> client to error out with "size read failed". The solution is for the
> server to more carefully shut down the socket and wait for the client
> to close the connection.
> 
> -Kees
> 
> -- 
> Kees Cook                                            @debian.org
> _______________________________________________
> Pkg-cyrus-sasl2-debian-devel mailing list
> Pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-sasl2-debian-devel
> Email had 1 attachment:
> + early-hangup.patch
>   1k (text/x-diff)

-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Hi Ondřej,

On Wed, Feb 11, 2015 at 01:46:59PM +0100, Ondřej Surý wrote:
> Kees,
> 
> thanks for the patch, I have two questions though:
> 
> 1) Do you think it's a jessie material?

I think so -- this problem manifested when I switched from a 3.13 kernel to
a 3.16 kernel. Since Jessie will ship at least 3.16, I think it would be a
good change to backport.

> 2) Has it been submitted upstream?

I have not, no.

Thanks!

-Kees

-- 
Kees Cook                                            @debian.org

Source: cyrus-sasl2
Source-Version: 2.1.26.dfsg1-13

We believe that the bug you reported is fixed in the latest version of
cyrus-sasl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 777349@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated cyrus-sasl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Mar 2015 14:21:23 +0100
Source: cyrus-sasl2
Binary: sasl2-bin cyrus-sasl2-doc libsasl2-2 libsasl2-modules libsasl2-modules-db libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql libsasl2-modules-gssapi-mit libsasl2-dev libsasl2-modules-gssapi-heimdal cyrus-sasl2-dbg cyrus-sasl2-mit-dbg cyrus-sasl2-heimdal-dbg
Architecture: source all
Version: 2.1.26.dfsg1-13
Distribution: unstable
Urgency: medium
Maintainer: Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
 cyrus-sasl2-dbg - Cyrus SASL - debugging symbols
 cyrus-sasl2-doc - Cyrus SASL - documentation
 cyrus-sasl2-heimdal-dbg - Cyrus SASL - debugging symbols for Heimdal modules
 cyrus-sasl2-mit-dbg - Cyrus SASL - debugging symbols for MIT modules
 libsasl2-2 - Cyrus SASL - authentication abstraction library
 libsasl2-dev - Cyrus SASL - development files for authentication abstraction lib
 libsasl2-modules - Cyrus SASL - pluggable authentication modules
 libsasl2-modules-db - Cyrus SASL - pluggable authentication modules (DB)
 libsasl2-modules-gssapi-heimdal - Pluggable Authentication Modules for SASL (GSSAPI)
 libsasl2-modules-gssapi-mit - Cyrus SASL - pluggable authentication modules (GSSAPI)
 libsasl2-modules-ldap - Cyrus SASL - pluggable authentication modules (LDAP)
 libsasl2-modules-otp - Cyrus SASL - pluggable authentication modules (OTP)
 libsasl2-modules-sql - Cyrus SASL - pluggable authentication modules (SQL)
 sasl2-bin  - Cyrus SASL - administration programs for SASL users database
Closes: 777349
Changes:
 cyrus-sasl2 (2.1.26.dfsg1-13) unstable; urgency=medium
 .
   * Shutdown down the write side of the socket and wait for the client to
     close the connection (0 byte read) before closing the server side
     (Closes: #777349) (Courtesy of Kees Cook)
Checksums-Sha1:
 cc4253ccf2413d80ecee444cb21e60561771c760 3433 cyrus-sasl2_2.1.26.dfsg1-13.dsc
 524e54e03da82eb3ac3dc0271c2cd05085a56abf 93272 cyrus-sasl2_2.1.26.dfsg1-13.debian.tar.xz
 038a93fa9e56c6279c84b120b54cecac065bd234 107116 cyrus-sasl2-doc_2.1.26.dfsg1-13_all.deb
Checksums-Sha256:
 781486eb30a1c9bbca9b00c8788a75c9968c3ab14c02b676baedddb23c5f58da 3433 cyrus-sasl2_2.1.26.dfsg1-13.dsc
 737d498b6347e5153b904fd43f524f98e58c230cf00ff0d83038989b1ab37c6e 93272 cyrus-sasl2_2.1.26.dfsg1-13.debian.tar.xz
 a326b2b9e60b43ea19ab05306ab50b9ff2d9ff7e89e20ff38e8c6e1b66706428 107116 cyrus-sasl2-doc_2.1.26.dfsg1-13_all.deb
Files:
 6930703744dfd0db3fcdb49f24c70799 3433 libs standard cyrus-sasl2_2.1.26.dfsg1-13.dsc
 91a5c64bf8659b1de6eaf89e710972f5 93272 libs standard cyrus-sasl2_2.1.26.dfsg1-13.debian.tar.xz
 d018e7189901af35a57316b38af488e2 107116 doc optional cyrus-sasl2-doc_2.1.26.dfsg1-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJU/Z/WXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHUugP/jvAW0nyQPnEyka0Z7Hp8kyP
Evpybm11hjENif2P12Pal8ak1NGP5NeWM3767Z0W5E7nmzoFy7d3Oh4kv+jVwoRL
LVlMJu13qf6tXGT+ZaJfkk7m4Lv+xvjA8rIwM0Wsht1cQU6kBR6IYl+g18YPyolY
/jPopeGKqwWqAXCotj3ynhl0rH6CGVmbMZz3EHBoYg8iOIoW/1hF1BkoBd4oAoRU
Vdn6vWodz5XuneJ0I/1nrRKNSaPWpwdYAt3ZcftfJEh+CLTh/y5j/GeMHja6atdc
TA7hBkny1SIB1zm5AwAlcFKkbFzCt8B3cOyrQOvyGq5UGIBDuRnODpA3LLIL02bi
wNnB3QEboyLMBz7DgMa1sGgHbBgu7QC+M3aURtSoLFWlCXoYVDgguZoflDAOumVo
n3idiCir1iWT4RyiSuShlWDj1VkY8s8ZUPkJJB4NgkCa/ZgidlKCvtGWcYjjeQWc
5yIqydpyverRJZurW/Sv073qPAoZmS0dZpHZkGzFy+Ebmabfe+WR6deYUaBE7GmC
ukIRGkREJ94fIJFX872sUw8AWKnCFAfHg8L178p5xtenhPF6l5lpAkqmf3HAPaAQ
152nUVf+cLmTMXo6F/RzJAlrKkeHYJiIjFzZO2S1bqduQSAIn9bbn9JhyZFSLqO/
P+jYW3FlywJ9OyubeOrw
=jh+9
-----END PGP SIGNATURE-----

Debian Bug report logs - #777349 intermittent "size read failed" (clients can lose response data from server)

Debian Bug report logs - #777349
intermittent "size read failed" (clients can lose response data from server)