Vulnerability Development mailing list archives

Re: FreeBSD listen() again

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Sun, 31 Oct 1999 00:29:52 +0200


On Sat, 30 Oct 1999, 3APA3A wrote:

Hello vulN-DEV@,

Hey:-)

 I wasn't right in defining the problem for backlog in listen()
  as it was correctly pointed by Sebastian <scut () nb in-berlin de>:

thanks:)

-=-=-=-=-
For some unknown reasons berkeley derived implementations multiply backlog
with 1.5. (backlog = 5 will turn to 8 for example).
-=-=-=-=-

  It seems real queue length is counted as
     backlog + (backlog+1)>>1

  that's  why  listen(sock,  1)  will never work as it should. It will
  allow  to  establish  2 connections. It's for both FreeBSD 2.2.x and
  3.x, so the problem is even deeper.


Well, there is no "correct" behaviour, because the Posix.1g standard is
loosy at this point, no implementation has the correct behaviour and you
can never rely on any of them for security reasons.

The following table is extracted from "Unix Network Programming: Sockets
and XTI" from Richard Stevens. It shows the number of queued connections
for a backlog value and shows the diversity among the interpretation of
it. Btw, Linux allows unlimited connections for a backlog value of 0,
which can be seen as a bug. Also in reasons to prevent SYN flooding the
interpretation of the backlog value has changed to represent only the
already fully established connections.

backlog  AIX 4.2    DUnix 4.0,   HP-UX 10.30 SunOS 4.1.4 Sol 2.5.1 Sol 2.6
         BSD/OS 3.0 Linux 2.0.x,
                    UWare 2.1.2
-------+-----------+------------+-----------+-----------+---------+-------
     0       1            0           1           1          1        1
     1       2            1           1           2          2        3
     2       4            2           3           4          3        4
     3       5            3           4           5          4        6
     4       7            4           6           7          5        7
     5       8            5           7           8          6        9
     6      10            6           9           8          7       10
     7      11            7          10           8          8       12
     8      13            8          12           8          9       13
     9      14            9          13           8         10       15
    10      16           10          15           8         11       16
    11      17           11          16           8         12       18
    12      19           12          18           8         13       19
    13      20           13          18           8         14       21
    14      22           14          19           8         15       22

I hope this clears the situation and stops this discussion :)

         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/


ciao,
scut / team teso security
[http://teso.scene.at/]

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ -  - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet  --
-- you don't need a lot of people to be great, you need a few great to be --
-- the best -----------------------------------------------------------------
--- nuclear arrival weapon spy agent remain undercover, hi echelon ----------

Current thread:

Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
  - Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)