proxy-protocol doesn't take in consideration connect_timeout, possible DOS

Bug #1502411 reported by Frederic Descamps on 2015-10-03
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.1
Invalid
Undecided
Unassigned
5.5
Invalid
Undecided
Unassigned
5.6
New
Undecided
Unassigned
5.7
New
Undecided
Unassigned

Bug Description

When proxy_protocol_network =* is used, it's impossible to connect directly to MySQL (bypassing the proxy sending proxy-protocol header).
The problem is that if mysql client tries to connect anyway , there is no timeout (connect_timeout) used. This can lead to max connection easily reached:

pxc1 mysql> show full processlist;
+-----+----------------------+-----------------+------+---------+------+--------------------+-----------------------+-----------+---------------+
| Id | User | Host | db | Command | Time | State | Info | Rows_sent | Rows_examined |
+-----+----------------------+-----------------+------+---------+------+--------------------+-----------------------+-----------+---------------+
| 1 | system user | | NULL | Sleep | 1969 | NULL | NULL | 0 | 0 |
| 2 | system user | | NULL | Sleep | 1969 | wsrep aborter idle | NULL | 0 | 0 |
| 9 | root | localhost | NULL | Query | 0 | init | show full processlist | 0 | 0 |
| 990 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 992 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 993 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 994 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 996 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 997 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
+-----+----------------------+-----------------+------+---------+------+--------------------+-----------------------+-----------+---------------+

information type: Private Security → Public Security
tags: added: proxy-protocol

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3314

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers