lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 5 Jun 2007 19:15:36 +0200
From:	Eric Dumazet <dada1@...mosbay.com>
To:	David Miller <davem@...emloft.net>
Cc:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: [BUG] UDP : bind() checks are not complete

David

I discovered one big problem with UDP binding in 2.6.22-rc4 :

Consider you have eth0 with addr 192.168.0.1

Consider one UDP socket was bound to 192.168.0.1:32769. It will be stored on a slot != 1

Another UDP socket is created and binded to (0.0.0.0:0)

__udp_lib_get_port() is called with snum=0 and ANY_ADDR

We try to find a hash chain with the lowest count of sockets.

If we find an empty chain (slot=1 result=32769 for example), we consider we finished our checks.

This not true since last udp lookups changes. 

If we allow the new socket to get port 32769, and source address of
outgoing message is set to 192.168.0.1, then answers 
(incoming messages to 192.168.0.1:32769) will go to first socket, because 

We really should check no socket is bound to XXX.XXX.XXX.XXX:32769. With current hashing, 
it means checking all slots in udptable[] :(

Our choices are :

1) Drop all thoses patches and re-think them for 2.6.23 eventually
2) Add the extra check for ANY_ADDR sockets and perform a full scan

What do you think ?
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists