vlmcsd doesn't catch SIGPIPE error

[renzhexigua]

Describe the bug

There is a situation that a client can send packets to trigger a DoS attack. The RCA of this vulnerability is vlmcsd doesn't properly handle this SIGPIPE exception.

There is a spectre haunting the Internet -- the spectre of SIGPIPE errors. It's a bug in the original design of Unix networking from 1981 that is perpetuated by college textbooks, which teach students to ignore it. As a consequence, sometimes software unexpectedly crashes. This is particularly acute on industrial and medical networks, where security professionals can't run port/security scans for fear of crashing critical devices.

TCP/IP, Sockets, and SIGPIPE

Screenshots

Remediation/mitigation

1. register ignore handler
2. send with MSG_NOSIGNAL flag

[jyxjjj]

As M$ always did, I think if your service is well-known enough, your IP or domain will be added to black list, so i think this software doesn't suggest anyone put it to public network. Most correctly is start it on a NAS or Router in your own local area network. So i think it doesn't need any security or performance fix.

[rouben]

Aside from @jyxjjj 's comment, note that this is not the dev repository for this software. This is essentially a mirror of the original, which is here. Therefore, it's best to raise the issue there, not here.