From owner-freebsd-security  Fri Nov 21 16:24:53 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA27308
          for security-outgoing; Fri, 21 Nov 1997 16:24:53 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id QAA27287
          for <security@freebsd.org>; Fri, 21 Nov 1997 16:24:45 -0800 (PST)
          (envelope-from fenner@parc.xerox.com)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <53363(6)>; Fri, 21 Nov 1997 16:24:11 PST
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177476>; Fri, 21 Nov 1997 16:23:57 -0800
To: Jim Shankland <jas@flyingfox.com>
cc: fenner@parc.xerox.com, security@freebsd.org
Subject: Re: new TCP/IP bug in win95 (fwd) 
In-reply-to: Your message of "Fri, 21 Nov 97 16:14:59 PST."
             <199711220014.QAA05235@biggusdiskus.flyingfox.com> 
Date: Fri, 21 Nov 1997 16:23:48 PST
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <97Nov21.162357pst.177476@crevenia.parc.xerox.com>
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Jim Shankland <jas@flyingfox.com> wrote:
>I'm not convinced (yet).  How could you ever implement this?  Each
>endpoint of a TCP circuit needs a state structure (the TCB).  So such
>a connection (like any TCP connection) would have 2 TCB's

Nope.  This program creates a self-connection with only one TCB
involved.

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

main()
{
    struct sockaddr_in sin;
    int s, ns;
    int on = 1;

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
	perror("socket");
	exit(1);
    }
    if (setsockopt(s, SOL_SOCKET, SO_DEBUG, &on, sizeof(on)) < 0) {
	perror("SO_DEBUG");
	exit(1);
    }
    sin.sin_addr.s_addr = INADDR_ANY;
    sin.sin_port = htons(6767);
    sin.sin_family = AF_INET;
    if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
	perror("bind");
	exit(1);
    }
    /*
     * Connect to ourselves.
     * Write something to the socket and then read it to prove that
     * we're connected to ourselves.
     */
    sin.sin_addr.s_addr = htonl(0x7f000001);
    if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
	perror("connect");
	exit(1);
    }
    {
	char buf[] = "Hello, world!\n";
	char buf2[100];

	write(s, buf, sizeof(buf));
	read(s, buf2, sizeof(buf));
	write(0, buf2, sizeof(buf));
    }
}

>You certainly can't get into this state without spoofing: try to
>bind() a client-side (connecting) socket to a port on which a server
>is already listening, and you'll get EADDRINUSE.

Use SO_REUSEADDR (probably in both the client and server).

>> For one thing, src-ip == dst-ip is not the only situation that will
>> cause this behavior on a multi-homed host; determining if this is an
>> evil packet takes a routing table lookup or an interface table search.
>
>Well, I don't think you can do it with one packet

You're right, I was abstracting the problem too much in my head.

  Bill