[Full-Disclosure] THREATCON back up!

From: silvio@big.net.au
Date: 09/30/02


From: silvio@big.net.au (silvio@big.net.au)
Date: Mon, 30 Sep 2002 00:04:17 -0700

ok.. THREATCON(tm) is back up after resolving the previous segv issuess.

unfortunately - one of our research boxes was denial of serviced when it
ran out of file descriptors.

openbsd/src/sbin/ancontrol/ancontrol.c

has some code that does this

main
        if (s)
                close(s);
        
        return (0);

well.. here at THREATCON research labs, we use execve wrappers around
this binary, where we do a close(0) to cut down on file descriptor usage,
before exec. for the above program, we noticed that the above close(s) didn't
actually close the socket because 0 is a valid file descriptor - and
was returned from a socket call, after we did the close(0) also what
about -1 in the above code? erm, nevermind.

the recommended patch is to remove the condition competely, since before that
it will exit() if socket() fails (where it checks for s < 0).

also. it is suspected that some code out there does fd checks like this

if (fd <= 0) failure

this is noteably incorrect, because as stated prior, 0 is a valid fd.

I recommend full auditing of all error checking associated with obtaining
a fd!

THREATCON status of "gravelly road", did not change with the release of this
advisory.

--
Silvio


Relevant Pages

  • Re: close(2) while accept(2) is blocked
    ... That means that in the case of a socket soclose is not ... It would be possible to keep track of the file descriptor number but I ... connection from a different socket created later. ... For a non-blocking socket the error is ...
    (freebsd-net)
  • Re: close(2) while accept(2) is blocked
    ... That means that in the case of a socket soclose is not ... It would be possible to keep track of the file descriptor number but I ... connection from a different socket created later. ... For a non-blocking socket the error is ...
    (freebsd-hackers)
  • Re: given an fd, how to tell if its open?
    ... Your process may inherit open fd's from a parent ... like a socket. ... start any new Applix sessions - disastrous with over 400 users over ... up on a consistent file descriptor. ...
    (comp.unix.programmer)
  • Re: send file descriptor via ipc
    ... numbers into 'struct file' references. ... buffer for the remote socket. ... them into the file descriptor array of the receiving process. ... descriptors that are referenced only by disconnected UNIX domain sockets ...
    (freebsd-hackers)
  • Re: Proposal: a revoke() system call
    ... You could achieve something of the same end by opening /dev/null and then dup2'ing to the file descriptor you want to revoke, ... Right now there's a known issue that calling closeon a socket from one thread doesn't interrupt a socket in a blocking I/O call from another thread -- you first have to call shutdown, ... Another example of a "reader thread" would be ... the main thread of a daemon that accepts the incoming connections ...
    (freebsd-arch)