From owner-freebsd-net@FreeBSD.ORG  Sun May 16 07:17:03 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 393BB16A4CE; Sun, 16 May 2004 07:17:03 -0700 (PDT)
Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 96E1843D53; Sun, 16 May 2004 07:17:01 -0700 (PDT)
	(envelope-from yar@comp.chem.msu.su)
Received: from comp.chem.msu.su (localhost [127.0.0.1])
	by comp.chem.msu.su (8.12.9p2/8.12.9) with ESMTP id i4GEGx3F040353;
	Sun, 16 May 2004 18:16:59 +0400 (MSD)
	(envelope-from yar@comp.chem.msu.su)
Received: (from yar@localhost)
	by comp.chem.msu.su (8.12.9p2/8.12.9/Submit) id i4GEGwHc040352;
	Sun, 16 May 2004 18:16:59 +0400 (MSD)
	(envelope-from yar)
Date: Sun, 16 May 2004 18:16:58 +0400
From: Yar Tikhiy <yar@comp.chem.msu.su>
To: arch@freebsd.org, net@freebsd.org
Message-ID: <20040516141658.GA39893@comp.chem.msu.su>
References: <20040508034514.GA937@grosbein.pp.ru>
	<Pine.BSF.4.53.0405080636010.66978@e0-0.zab2.int.zabbadoz.net>
	<20040508132354.GB44214@comp.chem.msu.su>
	<20040515182157.GB89625@comp.chem.msu.su>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040515182157.GB89625@comp.chem.msu.su>
User-Agent: Mutt/1.5.6i
cc: Eugene Grosbein <eugen@grosbein.pp.ru>
Subject: TIME_WAIT sockets from other users (was Re: bin/65928: [PATCH]
	stock ftpd uses superuser credentials for active mode sockets)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 May 2004 14:17:03 -0000

Note for the impatient:  This message does not discuss the well-known
issue of reusing local addresses through setting SO_REUSEADDR.  This
message is on reusing local addresses occupied by sockets belonging
to other users.

On Sat, May 15, 2004 at 10:21:57PM +0400, Yar Tikhiy wrote:
> 
> Attached below is a patch addressing the issue of the inability to
> reuse a local IP:port couple occupied by an established TCP connection
> from another user, but by no listeners.  Could anybody with fair
> understanding of our TCP/IP stack review it please?  Thanks.
> 
> -- 
> Yar
> 
> Index: in_pcb.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
> retrieving revision 1.146
> diff -u -p -r1.146 in_pcb.c
> --- in_pcb.c	23 Apr 2004 23:29:49 -0000	1.146
> +++ in_pcb.c	15 May 2004 17:37:18 -0000
> @@ -340,6 +340,8 @@ in_pcbbind_setup(inp, nam, laddrp, lport
>  						return (EADDRINUSE);
>  				} else
>  				if (t &&
> +				    (so->so_type != SOCK_STREAM ||
> +				     ntohl(t->inp_faddr.s_addr) == INADDR_ANY) &&
>  				    (ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
>  				     ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
>  				     (t->inp_socket->so_options &

One more detail to note:

Currently if another user's socket is in the TIME_WAIT state, it
still counts as occupying the local IP:port couple.  I cannot see
the point of such a behaviour.  Restricting bind() is to disallow
unprivileged port stealth, but how can one steal a connection in
the TIME_WAIT state?

For FreeBSD-4 the above patch would take care of this case along
with established connections, but in CURRENT TIME_WAIT connections
are a special case since they no longer use full-blown state.
Therefore, for CURRENT the above patch mutates into the below one.
Do I have a point?

-- 
Yar

Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.146
diff -u -p -r1.146 in_pcb.c
--- in_pcb.c	23 Apr 2004 23:29:49 -0000	1.146
+++ in_pcb.c	16 May 2004 13:33:33 -0000
@@ -332,14 +332,10 @@ in_pcbbind_setup(inp, nam, laddrp, lport
 	 * XXX
 	 * This entire block sorely needs a rewrite.
 	 */
-				if (t && (t->inp_vflag & INP_TIMEWAIT)) {
-					if ((ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
-					    ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
-					    (intotw(t)->tw_so_options & SO_REUSEPORT) == 0) &&
-					    (so->so_cred->cr_uid != intotw(t)->tw_cred->cr_uid))
-						return (EADDRINUSE);
-				} else
 				if (t &&
+				    ((t->inp_vflag & INP_TIMEWAIT) == 0) &&
+				    (so->so_type != SOCK_STREAM ||
+				     ntohl(t->inp_faddr.s_addr) == INADDR_ANY) &&
 				    (ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
 				     ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
 				     (t->inp_socket->so_options &