This may apply to all known versions of inetd.

For a tcp/nowait connection, inetd invokes accept(2) for
each pending connection; this call returns a file descriptor
associated with the new connection.

Twelve years ago, code was added to inetd to detect "failing
servers".  The heuristic that identifies a failing server is
one that has been invoked a large number of times over some
specified interval (e.g., more than 128 ftp services started
in 60 seconds may flag the ftp service as "failing").  These
compile-time constants vary depending on vendor.

The problem is that, when a failing server is detected, the
code neglects to close the file descriptor returned by the
accept(2).

Security-Implications:
I suppose someone with ample free time could orchestrate an
attack buy pummeling services until the inetd process finally
runs out of file descriptors thus rendering inetd useless to
any new connections that require a new descriptor.

PR:		7286
Reviewed by:	phk
Submitted by:	Jeff Forys <jeff@forys.cranbury.nj.us>

1 files changed, 4 insertions, 1 deletions

diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 4f19d0ad690a..a963534ce4a6 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.33 1998/05/11 12:11:59 bde Exp $";
+	"$Id: inetd.c,v 1.34 1998/05/14 20:26:16 guido Exp $";
 #endif /* not lint */
 
 /*
@@ -461,6 +461,9 @@ main(argc, argv, envp)
 				    if (errno != EINTR)
 					    syslog(LOG_WARNING,
 						"accept (for %s): %m",
+                                      if (sep->se_accept &&
+                                          sep->se_socktype == SOCK_STREAM)
+                                              close(ctrl);
 						sep->se_service);
 				    continue;
 			    }