finding where a bug lives
November 21, 2006
I’m confused. I’ve got a client connection to a server/service at work where I think I’ve found a bug and the response by the vendor is just baffling.
I’m using the vendor’s python module to connect to the daemon that’s listening on a tcp port. I connect, grab some data based on some input, then disconnect. It’s pretty simple. Now, I decided to play around a little bit and I was testing some of the input validation I was doing and I ended up throwing about 1000 consecutive connections at the daemon. So, I was looping in a: connect-read-disconnect process about 1000 times. (essentially, I had a script which did a single connection and I used a shell loop to run the command over a big set of things from a text file). Now, at this point I start seeing odd behavior. Sometimes the daemon locks up and won’t respond at all and I then need to log into the machine and cleanup some garbage and restart the daemon. Sometimes it just hangs up entirely and I have to recreate the data it’s reading the info from on the backend. It’s just goofy.
So, I contact the vendor, tell them what my script was doing, which they said is fine, then tell them about the loop I was running it in when I did it. At this point, they get fairly snarky and start telling me that the fault is in my loop. That I’m a bad programmer for not opening the connection and keeping it open. I’m happy to acknowledge that I’m not a very good programmer but, that I was just messing about, not really going for the most efficient mechanism. They become abrupt and make it clear that they feel that clients making lots of short, serial connections to their daemon are a bug in the client code/use and not in their daemon.
Now, I’ve read bugtraq enough to know that if I can knock over a daemon from a client and make it so other clients can’t use it that that is a Denial of Service attack. So, I’m curious, does this seem like a client code/use bug to anyone else or is just me who thinks the vendor should be responsible for making their daemon more robust/reliable? Drop me an email if you have a comment. Thanks.