Re: TIME_WAIT sockets from other users (was Re: bin/65928: [PATCH] stock ftpd uses superuser credentials for active mode sockets)

• Previous message: Dan Nelson: "Re: kern/56461: FreeBSD client rpc.lockd incompatible with Linux server rpc.lockd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 19 Jun 2004 18:56:48 +0400
To: hackers@freebsd.org, net@freebsd.org

On Sun, May 16, 2004 at 06:16:58PM +0400, Yar Tikhiy wrote
  in <20040516141658.GA39893@comp.chem.msu.su>:

> Note for the impatient: This message does not discuss the well-known
> issue of reusing local addresses through setting SO_REUSEADDR. This
> message is on reusing local addresses occupied by sockets belonging
> to other users.
[...]
> > Attached below is a patch addressing the issue of the inability to
> > reuse a local IP:port couple occupied by an established TCP connection
> > from another user, but by no listeners. Could anybody with fair
> > understanding of our TCP/IP stack review it please? Thanks.
[...]
> One more detail to note:
>
> Currently if another user's socket is in the TIME_WAIT state, it
> still counts as occupying the local IP:port couple. I cannot see
> the point of such a behaviour. Restricting bind() is to disallow
> unprivileged port stealth, but how can one steal a connection in
> the TIME_WAIT state?
>
> For FreeBSD-4 the above patch would take care of this case along
> with established connections, but in CURRENT TIME_WAIT connections
> are a special case since they no longer use full-blown state.
> Therefore, for CURRENT the above patch mutates into the below one.
[...]

Since I've got no feedback on this issue, I have little hope that
someone will pay attention to my next patch ;-)
However, I have no experience with IPv6, so currently I've got
no choice but to offer my patch for your review, friends, so that
some kind person might take a glance at it while I'm exercising
myself over IPv6 ;-)

I made this patch by analogy with the IPv4 one, which is already
in the CURRENT kernel--luckily, the IPv6 code is rather comprehensible.
It addresses the same issue I was talking about a month ago, but
for the IPv6 stack: It enables the non-root reuse of local address:port
tuples occupied by established or TIME_WAIT TCP connections from
other local users, as long as these particular cases have no security
implications a.k.a. "port theft."

-- 
Yar
Index: in6_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet6/in6_pcb.c,v
retrieving revision 1.52
diff -u -p -r1.52 in6_pcb.c
--- in6_pcb.c	12 Jun 2004 20:59:48 -0000	1.52
+++ in6_pcb.c	19 Jun 2004 14:15:14 -0000
@@ -194,14 +194,10 @@ in6_pcbbind(inp, nam, cred)
 				t = in6_pcblookup_local(pcbinfo,
 				    &sin6->sin6_addr, lport,
 				    INPLOOKUP_WILDCARD);
-				if (t && (t->inp_vflag & INP_TIMEWAIT)) {
-					if ((!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) ||
-					    !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) ||
-					    !(intotw(t)->tw_so_options & SO_REUSEPORT))
-					    && so->so_cred->cr_uid != 
-					    intotw(t)->tw_cred->cr_uid)
-						return (EADDRINUSE);
-				} else if (t &&
+				if (t &&
+				    ((t->inp_vflag & INP_TIMEWAIT) == 0) &&
+				    (so->so_type != SOCK_STREAM ||
+				     IN6_IS_ADDR_UNSPECIFIED(&t->in6p_faddr)) &&
 				    (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) ||
 			    	     !IN6_IS_ADDR_UNSPECIFIED(&t->in6p_laddr) ||
 				     (t->inp_socket->so_options & SO_REUSEPORT) 
@@ -216,17 +212,12 @@ in6_pcbbind(inp, nam, cred)
 					t = in_pcblookup_local(pcbinfo,
 						sin.sin_addr, lport,
 						INPLOOKUP_WILDCARD);
-					if (t && (t->inp_vflag & INP_TIMEWAIT)) {
-						if (so->so_cred->cr_uid !=
-						    intotw(t)->tw_cred->cr_uid &&
-						    (ntohl(t->inp_laddr.s_addr) !=
-						     INADDR_ANY || 
-						     ((inp->inp_vflag & 
-						       INP_IPV6PROTO) == 
-						      (t->inp_vflag & 
-						       INP_IPV6PROTO))))
-					    return (EADDRINUSE);
-					} else if (t && 
+					if (t &&
+					    ((t->inp_vflag &
+					      INP_TIMEWAIT) == 0) &&
+					    (so->so_type != SOCK_STREAM ||
+					     ntohl(t->inp_faddr.s_addr) ==
+					      INADDR_ANY) &&
 					    (so->so_cred->cr_uid !=
 					     t->inp_socket->so_cred->cr_uid) &&
 					    (ntohl(t->inp_laddr.s_addr) !=
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Dan Nelson: "Re: kern/56461: FreeBSD client rpc.lockd incompatible with Linux server rpc.lockd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: TIME_WAIT sockets from other users (was Re: bin/65928: [PATCH] stock ftpd uses superuser credent ... > message is on reusing local addresses occupied by sockets belonging ... >> Attached below is a patch addressing the issue of the inability to ... > with established connections, ... However, I have no experience with IPv6, so currently I've got ... (freebsd-hackers) Re: [Fwd: Re: 3 connections as one] ... Another option has been added to natd, a number wich can be set from 0 to ... 100 to determine the use of the second alias address. ... So when a connection has to be established for the first time, the patch use ... So natd is generating new connections in two diferent IPs (for two diferent ... (freebsd-hackers) Re: [patch] voluntary-preempt-2.6.9-rc2-mm3-S5 ... >>dropping new connections and doesn't have any adverse affects that ... S4 patch and it had the same change in it, but did not exhibit the same ... looking for obvious changes that might affect dropping tcp connections ... (Linux-Kernel) [Full-Disclosure] The remote Openssh User-Level-Denial-Of-Service ... A flawless into connections management and keys handshake was discovered into ... OpenSSH 3.8p1 ... user can open MAX connections to the server's daemon, ... Apply the patch or wait for an official patch from openssh. ... (Full-Disclosure) Multipath routing changes? "[kernel] Badness in dst_release at include/net/dst.h:154" ... This is regarding an external patch to enable routing over multiple network ... Internet connections. ... (Linux-Kernel)