* TCP listen()/accept() bug for unbound sockets?
@ 2004-08-27 9:56 Frank van Maarseveen
2004-08-27 19:55 ` David S. Miller
0 siblings, 1 reply; 2+ messages in thread
From: Frank van Maarseveen @ 2004-08-27 9:56 UTC (permalink / raw)
To: linux-kernel
2.4.27,
while investigating the xv_bmpslap XV exploit posted to bugtraq I got this
strace which revealed that it seems possible to listen() and accept()
on unbound TCP sockets. The bind() failed and the process appeared to
be listening on a random port in the ip_local_port_range and connected
successfully:
24876 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
24876 bind(4, {sa_family=AF_INET, sin_port=htons(7000), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
24876 listen(4, 1) = 0
24876 accept(4, 0, NULL) = 5
24876 dup2(5, 0) = 0
24876 dup2(5, 1) = 1
24876 dup2(5, 2) = 2
24876 execve("/bin//sh", ["/bin//sh"], [/* 0 vars */]) = 0
is this defined behavior?
--
Frank
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: TCP listen()/accept() bug for unbound sockets?
2004-08-27 9:56 TCP listen()/accept() bug for unbound sockets? Frank van Maarseveen
@ 2004-08-27 19:55 ` David S. Miller
0 siblings, 0 replies; 2+ messages in thread
From: David S. Miller @ 2004-08-27 19:55 UTC (permalink / raw)
To: Frank van Maarseveen; +Cc: linux-kernel
On Fri, 27 Aug 2004 11:56:40 +0200
Frank van Maarseveen <frankvm@xs4all.nl> wrote:
> is this defined behavior?
Yep, we auto-bind the socket for you.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-08-27 20:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-27 9:56 TCP listen()/accept() bug for unbound sockets? Frank van Maarseveen
2004-08-27 19:55 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox