| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2015 23:35:14 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Stephen Hemminger <stephen@...workplumber.org> Cc: netdev@...r.kernel.org Subject: Re: Fw: [Bug 102051] New: Unexpected TCP behavior On Mon, 2015-07-27 at 14:02 -0700, Stephen Hemminger wrote: > > Begin forwarded message: > > Date: Mon, 27 Jul 2015 20:06:07 +0000 > From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org> > To: "shemminger@...ux-foundation.org" <shemminger@...ux-foundation.org> > Subject: [Bug 102051] New: Unexpected TCP behavior > > > https://bugzilla.kernel.org/show_bug.cgi?id=102051 > > Bug ID: 102051 > Summary: Unexpected TCP behavior > Product: Networking > Version: 2.5 > Kernel Version: 3.19 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: low > Priority: P1 > Component: IPV4 > Assignee: shemminger@...ux-foundation.org > Reporter: vremetic@...il.com > Regression: No > > While running nmap against localhost I started to see open ports in the dynamic > range (>1024). Kind of odd, knowing netstat and ss did not show any listeners > on the port. > > With tcpdump, I confirmed system was returning S/ACK for ports that did not > have a listener enabled. The "issue" or feature only occurs if source port > matches the destination port. > > # netstat -nap | grep 5000 > # > > $ nc localhost -p 5000 5000 > a > a > > # tcpdump -i lo port 5000 > 14:28:18.059708 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [S], seq 2005295207, > win 43690, options [mss 65495,sackOK,TS val 4481790 ecr 0,nop,wscale 7], length > 0 > 14:28:18.059721 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [S.], seq 2005295207, > ack 2005295208, win 43690, options [mss 65495,sackOK,TS val 4481790 ecr > 4481790,nop,wscale 7], length 0 Nothing wrong here. This is well known TCP behavior ( cross syn ). > 14:28:18.059729 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [.], ack 2005295208, > win 342, options [nop,nop,TS val 4481790 ecr 4481790], length 0 > 14:28:19.121392 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [P.], seq > 2005295208:2005295210, ack 2005295208, win 342, options [nop,nop,TS val 4482056 > ecr 4481790], length 2 > 14:28:19.121407 IP 127.0.0.1.5000 > 127.0.0.1.5000: Flags [.], ack 2005295210, > win 342, options [nop,nop,TS val 4482056 ecr 4482056], length 0 > > # hping3 -S 127.0.0.1 -p 5000 -s 5000 > HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes > len=40 ip=127.0.0.1 ttl=64 id=2036 sport=5000 flags=S seq=0 win=512 rtt=3.8 ms > << SYN > DUP! len=52 ip=127.0.0.1 ttl=64 DF id=670 sport=5000 flags=A seq=0 win=342 > rtt=3.8 ms << SYN/ACK > len=40 ip=127.0.0.1 ttl=64 DF id=43435 sport=5000 flags=RA seq=1 win=0 rtt=3.7 > ms > > I confirmed it with nmap, nc, and hping3; granted they build on same c > libraries, so I am not even sure if this should be filed as a kernel bug (or > even a bug); > just did not expect to see this behavior // > > Expected to see a RST instead. > Sigh. Wont fix. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists