Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Nov 1997 16:23:48 PST
From:      Bill Fenner <fenner@parc.xerox.com>
To:        Jim Shankland <jas@flyingfox.com>
Cc:        fenner@parc.xerox.com, security@freebsd.org
Subject:   Re: new TCP/IP bug in win95 (fwd) 
Message-ID:  <97Nov21.162357pst.177476@crevenia.parc.xerox.com>
In-Reply-To: Your message of "Fri, 21 Nov 97 16:14:59 PST." <199711220014.QAA05235@biggusdiskus.flyingfox.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jim Shankland <jas@flyingfox.com> wrote:
>I'm not convinced (yet).  How could you ever implement this?  Each
>endpoint of a TCP circuit needs a state structure (the TCB).  So such
>a connection (like any TCP connection) would have 2 TCB's

Nope.  This program creates a self-connection with only one TCB
involved.

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

main()
{
    struct sockaddr_in sin;
    int s, ns;
    int on = 1;

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
	perror("socket");
	exit(1);
    }
    if (setsockopt(s, SOL_SOCKET, SO_DEBUG, &on, sizeof(on)) < 0) {
	perror("SO_DEBUG");
	exit(1);
    }
    sin.sin_addr.s_addr = INADDR_ANY;
    sin.sin_port = htons(6767);
    sin.sin_family = AF_INET;
    if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
	perror("bind");
	exit(1);
    }
    /*
     * Connect to ourselves.
     * Write something to the socket and then read it to prove that
     * we're connected to ourselves.
     */
    sin.sin_addr.s_addr = htonl(0x7f000001);
    if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
	perror("connect");
	exit(1);
    }
    {
	char buf[] = "Hello, world!\n";
	char buf2[100];

	write(s, buf, sizeof(buf));
	read(s, buf2, sizeof(buf));
	write(0, buf2, sizeof(buf));
    }
}

>You certainly can't get into this state without spoofing: try to
>bind() a client-side (connecting) socket to a port on which a server
>is already listening, and you'll get EADDRINUSE.

Use SO_REUSEADDR (probably in both the client and server).

>> For one thing, src-ip == dst-ip is not the only situation that will
>> cause this behavior on a multi-homed host; determining if this is an
>> evil packet takes a routing table lookup or an interface table search.
>
>Well, I don't think you can do it with one packet

You're right, I was abstracting the problem too much in my head.

  Bill

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97Nov21.162357pst.177476>