[Full-Disclosure] THREATCON back up!

From: silvio@big.net.au
Date: 09/30/02


From: silvio@big.net.au (silvio@big.net.au)
Date: Mon, 30 Sep 2002 00:04:17 -0700

ok.. THREATCON(tm) is back up after resolving the previous segv issuess.

unfortunately - one of our research boxes was denial of serviced when it
ran out of file descriptors.

openbsd/src/sbin/ancontrol/ancontrol.c

has some code that does this

main
        if (s)
                close(s);
        
        return (0);

well.. here at THREATCON research labs, we use execve wrappers around
this binary, where we do a close(0) to cut down on file descriptor usage,
before exec. for the above program, we noticed that the above close(s) didn't
actually close the socket because 0 is a valid file descriptor - and
was returned from a socket call, after we did the close(0) also what
about -1 in the above code? erm, nevermind.

the recommended patch is to remove the condition competely, since before that
it will exit() if socket() fails (where it checks for s < 0).

also. it is suspected that some code out there does fd checks like this

if (fd <= 0) failure

this is noteably incorrect, because as stated prior, 0 is a valid fd.

I recommend full auditing of all error checking associated with obtaining
a fd!

THREATCON status of "gravelly road", did not change with the release of this
advisory.

--
Silvio