Re: [Monotone-devel] monotone server crash

[Ulf Ochsenfahrt]

Hi there!

Just writing in to let you know that this still happens with the most 
current version from the monotone repository.

The error can be easily recreated by taking two machines, running one as 
a server and the other as a client and then pulling the network cable on 
the client machine. The timeout can be quite longish, 1/2 hour to 1 hour.

This is a DoS vulnerability. It is possible to use this vulnerability to 
bring down any publicly accessible monotone server.

IMHO, the code in netsync.cc serve_connections around line 2718 needs to 
be hardened against network failures on client connections.

Cheers,

-- Ulf


Ulf Ochsenfahrt wrote:
> Hi,
>
> I'm sorry, I was in a hurry. Here's the complete bug report:
>
> I was running mtn serve on my server (Debian sarge).
>
> monotone 0.28 (base revision: 8c6ce7cb2ccd21290b435e042c2be4554ec6a048)
> Running on          : Linux 2.4.27 #1 Mon Aug 7 20:11:57 CEST 2006 i686
> C++ compiler        : GNU C++ version 3.3.5 (Debian 1:3.3.5-13)
> C++ standard library: GNU libstdc++ version 20050304
> Boost version       : 1_32
> Changes since base revision:
> unknown
>
> My home network connection is currently a bit unreliable. I failed just 
> while I was syncing. The server produced this error message:
>
> mtn: fatal: std::runtime_error: network error: recv failure: Connection 
> timed out
> mtn:
> mtn: this is almost certainly a bug in monotone.
> mtn: please send this error message, the output of 'mtn --full-version',
> mtn: and a description of what you were doing to address@hidden
> mtn: wrote debugging log to /home/ulfjack/.monotone/dump
> mtn: if reporting a bug, please include this file
>
> I've gzip'd the dump and attached it to this email.
>
> My home machine is running the latest version of monotone in debian 
> unstable.
>
> Cheers,
>
> -- Ulf

smime.p7s
Description: S/MIME Cryptographic Signature