lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 27 Jul 2015 14:02:18 -0700
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	netdev@...r.kernel.org
Subject: Fw: [Bug 102051] New: Unexpected TCP behavior



Begin forwarded message:

Date: Mon, 27 Jul 2015 20:06:07 +0000
From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>
To: "shemminger@...ux-foundation.org" <shemminger@...ux-foundation.org>
Subject: [Bug 102051] New: Unexpected TCP behavior


https://bugzilla.kernel.org/show_bug.cgi?id=102051

            Bug ID: 102051
           Summary: Unexpected TCP behavior
           Product: Networking
           Version: 2.5
    Kernel Version: 3.19
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: low
          Priority: P1
         Component: IPV4
          Assignee: shemminger@...ux-foundation.org
          Reporter: vremetic@...il.com
        Regression: No

While running nmap against localhost I started to see open ports in the dynamic
range (>1024). Kind of odd, knowing netstat and ss did not show any listeners
on the port.

With tcpdump, I confirmed system was returning S/ACK for ports that did not
have a listener enabled. The "issue" or feature only occurs if source port
matches the destination port.

# netstat -nap | grep 5000
#

$ nc localhost -p 5000 5000
a
a

# tcpdump -i lo port 5000
14:28:18.059708 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [S], seq 2005295207,
win 43690, options [mss 65495,sackOK,TS val 4481790 ecr 0,nop,wscale 7], length
0
14:28:18.059721 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [S.], seq 2005295207,
ack 2005295208, win 43690, options [mss 65495,sackOK,TS val 4481790 ecr
4481790,nop,wscale 7], length 0
14:28:18.059729 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [.], ack 2005295208,
win 342, options [nop,nop,TS val 4481790 ecr 4481790], length 0
14:28:19.121392 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [P.], seq
2005295208:2005295210, ack 2005295208, win 342, options [nop,nop,TS val 4482056
ecr 4481790], length 2
14:28:19.121407 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [.], ack 2005295210,
win 342, options [nop,nop,TS val 4482056 ecr 4482056], length 0

# hping3 -S 127.0.0.1 -p 5000 -s 5000
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes 
len=40 ip=127.0.0.1 ttl=64 id=2036 sport=5000 flags=S seq=0 win=512 rtt=3.8 ms 
           << SYN
DUP! len=52 ip=127.0.0.1 ttl=64 DF id=670 sport=5000 flags=A seq=0 win=342
rtt=3.8 ms      << SYN/ACK
len=40 ip=127.0.0.1 ttl=64 DF id=43435 sport=5000 flags=RA seq=1 win=0 rtt=3.7
ms

I confirmed it with nmap, nc, and hping3; granted they build on same c
libraries, so I am not even sure if this should be filed as a kernel bug (or
even a bug);
just did not expect to see this behavior // 

Expected to see a RST instead.

-- 
You are receiving this mail because:
You are the assignee for the bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ