nsca libwrap support

Mark Ferlatte ferlatte at cryptio.net
Fri Oct 24 17:59:48 CEST 2003

Previous message: Specified service in Availability Report
Next message: nsca libwrap support
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Attached is a patch for nsca.c (as of CVS this morning), that fixed the
recently added TCP wrappers support.  Tested in both --single and --daemon
modes.

I moved the libwrap check up to just after the accept() and prior to the fork()
in MULTI_PROCESS mode so that rejected attempts don't cause process creation
(trivial DoS attack).  I also fixed the reject logic; the reject() function
calls exit(), which broke single mode.

Let me know if the patch requires cleanup.

M
-------------- next part --------------
Index: nsca.c
===================================================================
RCS file: /cvsroot/nagios/nsca/src/nsca.c,v
retrieving revision 1.16
diff -u -r1.16 nsca.c
--- nsca.c	24 Oct 2003 01:31:08 -0000	1.16
+++ nsca.c	24 Oct 2003 15:55:48 -0000
@@ -725,6 +725,21 @@
 		return;
                 }
 
+#ifdef HAVE_LIBWRAP
+
+	/* Check whether or not connections are allowed from this host */
+	request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
+	fromhost(&req);
+
+	if(!hosts_access(&req)){
+		/* refuse the connection */
+		syslog(LOG_ERR, "refused connect from %s", eval_client(&req));
+		close(new_sd);
+		return;
+		}
+#endif
+
+
         /* fork() if we have to... */
         if(mode==MULTI_PROCESS_DAEMON){
 
@@ -760,29 +775,6 @@
         /* log info to syslog facility */
         if(debug==TRUE)
                 syslog(LOG_DEBUG,"Connection from %s port %d",inet_ntoa(nptr->sin_addr),nptr->sin_port);
-
-#ifdef HAVE_LIBWRAP
-
-	/* Check whether or not connections are allowed from this host */
-	request_init(&req,RQ_DAEMON,"nsca",RQ_FILE,new_sd,0);
-	fromhost(&req);
-
-	if(!hosts_access(&req)){
-
-		syslog(LOG_DEBUG,"Connection refused by TCP wrapper");
-
-		/* cleanup */
-		do_cleanup();
-
-		/* refuse the connection */
-		refuse(&req);
-		close(new_sd);
-
-		/* should not be reached */
-		syslog(LOG_ERR,"libwrap refuse() returns!");
-		exit(STATE_CRITICAL);
-		}
-#endif
 
 	/* handle the connection */
 	if(mode==SINGLE_PROCESS_DAEMON)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20031024/d48a3148/attachment.sig>

Previous message: Specified service in Availability Report
Next message: nsca libwrap support
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list