From 17d60ab0e6439ff934a8c3db6d39c37a59cf1524 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 15 Sep 2016 16:41:32 +0200
Subject: [PATCH] auth: Don't exit if the webserver can't accept a connection

This could lead to a Denial Of Service, before we even got a chance
to check that the remote client is allowed by the ACL.

Reported by mongo (thanks!).
---
 pdns/webserver.cc | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index 18bd62086..6a092373b 100644
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -35,8 +35,8 @@
 #include <yahttp/router.hpp>
 
 struct connectionThreadData {
-  WebServer* webServer;
-  Socket* client;
+  WebServer* webServer{nullptr};
+  Socket* client{nullptr};
 };
 
 json11::Json HttpRequest::json()
@@ -363,14 +363,31 @@ void WebServer::go()
       // data and data->client will be freed by thread
       connectionThreadData *data = new connectionThreadData;
       data->webServer = this;
-      data->client = d_server->accept();
-      if (data->client->acl(acl)) {
-        pthread_create(&tid, 0, &WebServerConnectionThreadStart, (void *)data);
-      } else {
-        ComboAddress remote;
-        if (data->client->getRemote(remote))
-          L<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match 'webserver-allow-from'"<<endl;
-        delete data->client; // close socket
+      try {
+        data->client = d_server->accept();
+        if (data->client->acl(acl)) {
+          pthread_create(&tid, 0, &WebServerConnectionThreadStart, (void *)data);
+        } else {
+          ComboAddress remote;
+          if (data->client->getRemote(remote))
+            L<<Logger::Error<<"Webserver closing socket: remote ("<< remote.toString() <<") does not match 'webserver-allow-from'"<<endl;
+          delete data->client; // close socket
+          delete data;
+        }
+      }
+      catch(PDNSException &e) {
+        L<<Logger::Error<<"PDNSException while accepting a connection in main webserver thread: "<<e.reason<<endl;
+        delete data->client;
+        delete data;
+      }
+      catch(std::exception &e) {
+        L<<Logger::Error<<"STL Exception while accepting a connection in main webserver thread: "<<e.what()<<endl;
+        delete data->client;
+        delete data;
+      }
+      catch(...) {
+        L<<Logger::Error<<"Unknown exception while accepting a connection in main webserver thread"<<endl;
+        delete data->client;
         delete data;
       }
     }
-- 
2.40.0