Vulnerability Development mailing list archives
Re: FreeBSD listen() again
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Sun, 31 Oct 1999 00:29:52 +0200
On Sat, 30 Oct 1999, 3APA3A wrote:
Hello vulN-DEV@,
Hey:-)
I wasn't right in defining the problem for backlog in listen() as it was correctly pointed by Sebastian <scut () nb in-berlin de>:
thanks:)
-=-=-=-=- For some unknown reasons berkeley derived implementations multiply backlog with 1.5. (backlog = 5 will turn to 8 for example). -=-=-=-=-
It seems real queue length is counted as backlog + (backlog+1)>>1 that's why listen(sock, 1) will never work as it should. It will allow to establish 2 connections. It's for both FreeBSD 2.2.x and 3.x, so the problem is even deeper.
Well, there is no "correct" behaviour, because the Posix.1g standard is loosy at this point, no implementation has the correct behaviour and you can never rely on any of them for security reasons. The following table is extracted from "Unix Network Programming: Sockets and XTI" from Richard Stevens. It shows the number of queued connections for a backlog value and shows the diversity among the interpretation of it. Btw, Linux allows unlimited connections for a backlog value of 0, which can be seen as a bug. Also in reasons to prevent SYN flooding the interpretation of the backlog value has changed to represent only the already fully established connections. backlog AIX 4.2 DUnix 4.0, HP-UX 10.30 SunOS 4.1.4 Sol 2.5.1 Sol 2.6 BSD/OS 3.0 Linux 2.0.x, UWare 2.1.2 -------+-----------+------------+-----------+-----------+---------+------- 0 1 0 1 1 1 1 1 2 1 1 2 2 3 2 4 2 3 4 3 4 3 5 3 4 5 4 6 4 7 4 6 7 5 7 5 8 5 7 8 6 9 6 10 6 9 8 7 10 7 11 7 10 8 8 12 8 13 8 12 8 9 13 9 14 9 13 8 10 15 10 16 10 15 8 11 16 11 17 11 16 8 12 18 12 19 12 18 8 13 19 13 20 13 18 8 14 21 14 22 14 19 8 15 22 I hope this clears the situation and stops this discussion :)
/\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/
ciao, scut / team teso security [http://teso.scene.at/] -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet -- -- you don't need a lot of people to be great, you need a few great to be -- -- the best ----------------------------------------------------------------- --- nuclear arrival weapon spy agent remain undercover, hi echelon ----------
Current thread:
- Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
- Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)