| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20070605191536.cc9a4719.dada1@cosmosbay.com> Date: Tue, 5 Jun 2007 19:15:36 +0200 From: Eric Dumazet <dada1@...mosbay.com> To: David Miller <davem@...emloft.net> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: [BUG] UDP : bind() checks are not complete David I discovered one big problem with UDP binding in 2.6.22-rc4 : Consider you have eth0 with addr 192.168.0.1 Consider one UDP socket was bound to 192.168.0.1:32769. It will be stored on a slot != 1 Another UDP socket is created and binded to (0.0.0.0:0) __udp_lib_get_port() is called with snum=0 and ANY_ADDR We try to find a hash chain with the lowest count of sockets. If we find an empty chain (slot=1 result=32769 for example), we consider we finished our checks. This not true since last udp lookups changes. If we allow the new socket to get port 32769, and source address of outgoing message is set to 192.168.0.1, then answers (incoming messages to 192.168.0.1:32769) will go to first socket, because We really should check no socket is bound to XXX.XXX.XXX.XXX:32769. With current hashing, it means checking all slots in udptable[] :( Our choices are : 1) Drop all thoses patches and re-think them for 2.6.23 eventually 2) Add the extra check for ANY_ADDR sockets and perform a full scan What do you think ? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists