p2p: rejected inbound connections aren't closed, cause fd leak #2046

ebuchman · 2018-07-24T14:57:20Z

Issue was discovered by a security auditor.

We don't close inbound connection objects when we reject them for max peers:

Lines 487 to 500 in 05a76fb

    
           func (sw *Switch) listenerRoutine(l Listener) { 
        
           	for { 
        
           		inConn, ok := <-l.Connections() 
        
           		if !ok { 
        
           			break 
        
           		} 
        
           		// ignore connection if we already have enough 
        
           		// leave room for MinNumOutboundPeers 
        
           		maxPeers := sw.config.MaxNumPeers - DefaultMinNumOutboundPeers 
        
           		if maxPeers <= sw.peers.Size() { 
        
           			sw.Logger.Info("Ignoring inbound connection: already have enough peers", "address", inConn.RemoteAddr().String(), "numPeers", sw.peers.Size(), "max", maxPeers) 
        
           			continue 
        
           		}

This can be easily exploited to cause nodes to panic from use of too many file descriptors (and may partially explain some of the high fd usage we've been seeing on testnets).

xla · 2018-07-24T15:26:20Z

Related to #2006

ebuchman · 2018-07-25T15:27:53Z

Issue is fixed in 359898d from #2056 and released in v0.22.6 but reopening as we should have better testing for this.

Perhaps will be addressed in #2006 and related

xla · 2018-07-25T15:42:23Z

#2006 is now #2067

…ret derivation This also merges the three calls to hkdf into a single call. Notably the hkdf call is now just called upon the computed shared secret, since the shared secret is a function of the pubkeys. It also makes nonces start at 0, as we are using chacha as a stream cipher. tendermint - revert to v0.10.1 rpc: fix /blockchain OOM #2049 rpc: validate height in abci_query changelog and version p2p: fix conn leak. part of #2046 consensus: include evidence in proposed block parts. fixes #2050 makefile: Add `make check_dep` and remove `make ensure_deps` (#2055) This adds a new makefile command, which is used in CI linting, `make check_dep`. This ensures the toml is in sync with the lock, and that were not pinning to a branch in any repository. This also adapts `make get_vendor_deps` to check the lock, in addition to populating the vendor directory. This removes the need for `make ensure_deps`. This makes `make get_vendor_deps` consistent between tendermint and the sdk.

ebuchman · 2018-08-05T21:04:26Z

Closing for #2067

This is the implementation for the design described in ADR 12[0]. It's the first step of a larger refactor of the p2p package as tracked in interface bundling all concerns of low-level connection handling and isolating the rest of peer lifecycle management from the specifics of the low-level internet protocols. Even if the swappable implementation will never be utilised, already the isolation of conn related code in one place will help with the reasoning about execution path and addressation of security sensitive issues surfaced through bounty programs and audits. We deliberately decided to not have Peer filtering and other management in the Transport, its sole responsibility is the translation of connections to Peers, handing those to the caller fully setup. It's the responsibility of the caller to reject those and or keep track. Peer filtering will take place in the Switch and can be inspected in a the following commit. This changeset additionally is an exercise in clean separation of logic and other infrastructural concerns like logging and instrumentation. By leveraging a clean and minimal interface. How this looks can be seen in a follow-up change. Design #2069[2] Refs #2067[3] Fixes #2047[4] Fixes #2046[5] changes: * describe Transport interface * implement new default Transport: MultiplexTransport * test MultiplexTransport with new constraints * implement ConnSet for concurrent management of net.Conn, synchronous to PeerSet * implement and expose duplicate IP filter * implemnt TransportOption for optional parametirisation [0] https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-012-peer-transport.md [1] #2067 [2] #2069 [3] #2067 [4] #2047 [5] #2046

- 1) protos are now built with the sdk's proto builder - 2) go tools methodology just bloats .mod and .sum making comet harder to work with - 3) tidy: mod and sum don't have maintenance tools in them anymore - 4) stop using an abandoned Dockerfile --------- tl;dr: by removing things from go.mod we can make comet easier to maintain, even if that means less stylish golang. --- #### PR checklist - [ ] Tests written/updated - [ ] Changelog entry added in `.changelog` (we use [unclog](https://github.com/informalsystems/unclog) to manage our changelog) - [ ] Updated relevant documentation (`docs/` or `spec/`) and code comments --------- Co-authored-by: Sergio Mena <sergio@informal.systems>

ebuchman added T:bug Type Bug (Confirmed) C:p2p Component: P2P pkg T:security Type: Security (specify priority) labels Jul 24, 2018

ebuchman added this to Planned in current iteration via automation Jul 24, 2018

xla added this to the launch milestone Jul 24, 2018

ebuchman added a commit that referenced this issue Jul 25, 2018

p2p: fix conn leak. part of #2046

94bbef5

ebuchman added a commit that referenced this issue Jul 25, 2018

p2p: fix conn leak. part of #2046

359898d

ebuchman mentioned this issue Jul 25, 2018

Hotfix/v0.22.6 #2056

Merged

4 tasks

xla mentioned this issue Jul 25, 2018

P2P Refactor #2067

Closed

ValarDragon pushed a commit that referenced this issue Jul 25, 2018

p2p: fix conn leak. part of #2046

ec65193

xla self-assigned this Jul 27, 2018

xla moved this from Planned to Ongoing in current iteration Jul 27, 2018

ebuchman closed this as completed Aug 5, 2018

current iteration automation moved this from Ongoing to Done Aug 5, 2018

bennofs mentioned this issue Jan 5, 2019

p2p: file descriptor leaks #2967

Closed

abelliumnt mentioned this issue Mar 5, 2019

R4R: Fix goroutine leak irisnet/tendermint#44

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

p2p: rejected inbound connections aren't closed, cause fd leak #2046

p2p: rejected inbound connections aren't closed, cause fd leak #2046

ebuchman commented Jul 24, 2018

xla commented Jul 24, 2018

ebuchman commented Jul 25, 2018

xla commented Jul 25, 2018

ebuchman commented Aug 5, 2018

p2p: rejected inbound connections aren't closed, cause fd leak #2046

p2p: rejected inbound connections aren't closed, cause fd leak #2046

Comments

ebuchman commented Jul 24, 2018

xla commented Jul 24, 2018

ebuchman commented Jul 25, 2018

xla commented Jul 25, 2018

ebuchman commented Aug 5, 2018