lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Feb 2007 13:09:46 -0500 From: Vlad Yasevich <vladislav.yasevich@...com> To: David Miller <davem@...emloft.net> Cc: weid@...css.fujitsu.com, netdev@...r.kernel.org Subject: Re: Fix bugs in "Whether sock accept queue is full" checking David Miller wrote: > From: weidong <weid@...css.fujitsu.com> > Date: Wed, 14 Feb 2007 11:30:57 -0500 > >> when I use linux TCP socket, and find there is a bug in function >> sk_acceptq_is_full(). > ... >> Consider an example: >> >> After listen(sockfd, 1) system call, sk->sk_max_ack_backlog is set to >> 1. As we know, sk->sk_ack_backlog is initialized to 0. Assuming accept() >> system call is not invoked now. >> >> 1. 1st connection comes. invoke sk_acceptq_is_full(). sk- >>> sk_ack_backlog=0 sk->sk_max_ack_backlog=1, function return 0 accept >> this connection. Increase the sk->sk_ack_backlog >> 2. 2nd connection comes. invoke sk_acceptq_is_full(). sk- >>> sk_ack_backlog=1 sk->sk_max_ack_backlog=1, function return 0 accept >> this connection. Increase the sk->sk_ack_backlog >> 3. 3rd connection comes. invoke sk_acceptq_is_full(). sk- >>> sk_ack_backlog=2 sk->sk_max_ack_backlog=1, function return 1. Refuse >> this connection. >> >> I think it has bugs. after listen system call. sk->sk_max_ack_backlog=1 >> but now it can accept 2 connections. The following patch can fix this >> problem. >> >> signed-off-by: Wei Dong <weid@...css.fujitsu.com> > > Thank you very much for the detailed analysis and fix. > > Actually, this bug exists all over the tree I believe, not just > in TCP. I would like to audit all uses of sk_ack_backlog and > sk_max_ack_backlog before applying your patch, so please give > me some time to perform a quick audit. > > Thank you. Hi David I can confirm the same problem exists in SCTP because of the use of sk_acceptq_is_full(). -vlad - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists