TCP listen()/accept() bug for unbound sockets?

From: Frank van Maarseveen
Date: Fri Aug 27 2004 - 04:57:40 EST

Next message: Thomas Zehetbauer: "Re: netfilter IPv6 support"
Previous message: Denis Vlasenko: "Re: devfs -> udev transition: vcsN are not created"
Next in thread: David S. Miller: "Re: TCP listen()/accept() bug for unbound sockets?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.4.27,

while investigating the xv_bmpslap XV exploit posted to bugtraq I got this
strace which revealed that it seems possible to listen() and accept()
on unbound TCP sockets. The bind() failed and the process appeared to
be listening on a random port in the ip_local_port_range and connected
successfully:

24876 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
24876 bind(4, {sa_family=AF_INET, sin_port=htons(7000), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
24876 listen(4, 1) = 0
24876 accept(4, 0, NULL) = 5
24876 dup2(5, 0) = 0
24876 dup2(5, 1) = 1
24876 dup2(5, 2) = 2
24876 execve("/bin//sh", ["/bin//sh"], [/* 0 vars */]) = 0

is this defined behavior?

--
Frank
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Zehetbauer: "Re: netfilter IPv6 support"
Previous message: Denis Vlasenko: "Re: devfs -> udev transition: vcsN are not created"
Next in thread: David S. Miller: "Re: TCP listen()/accept() bug for unbound sockets?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]