oss-sec mailing list archives

Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Wed, 8 Nov 2017 13:13:20 -0600 (CST)

On Wed, 8 Nov 2017, Eric Blake wrote:


This issue is not that case because Darwin[1], DragonFly[2], FreeBSD[3],
GNU/Hurd (though by importing Linux man pages), Linux[4], NetBSD[5], and
OpenBSD[6] all document behavior compatible with POSIX[7].


It doesn't matter what the implementations document (if their
documentation is copying from POSIX), but what they actually DO.

For the purpose of this list (about security) it seems to me that thecurrent behavior makes use of the recv(2) (or read(2)) system callsinherently insecure since there is no way to verify that a receivedmessage is from the expected source address. The only work-around isto intentionally discard messages until no more messages areavailable, but this may discard valid messages.


This makes most common uses of recv(2) insecure.

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Current thread:

Race condition between UDP bind(2) and connect(2) delivers wrong datagrams Jonas 'Sortie' Termansen (Nov 06)
- Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams Florian Weimer (Nov 06)
  - Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams John Haxby (Nov 07)
  - Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams Jonas 'Sortie' Termansen (Nov 08)
    - Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams Eric Blake (Nov 08)
    - Re: Race condition between UDP bind(2) and connect(2) delivers wrong datagrams Bob Friesenhahn (Nov 08)