Why the "Linux goofiness" socket writability check?

[David Fifield <david () bamsoftware com>]

Hi,

What is the purpose of this code in handle_connect_result in
nsock/src/nsock_core.c?

    switch(socket_error) {
    case 0:
#ifdef LINUX
      if (!FD_ISSET(iod->sd, &ms->mioi.fds_results_r)) {
        /* Linux goofiness -- We need to actually test that it is writeable */
        rc = send(iod->sd, "", 0, 0);
        
        if (rc < 0 ) {
          nse->status = NSE_STATUS_ERROR;
          nse->errnum = ECONNREFUSED;
        } else {
          nse->status = NSE_STATUS_SUCCESS;
        }
      } else {
        nse->status = NSE_STATUS_SUCCESS;
      }
#else
      nse->status = NSE_STATUS_SUCCESS;
#endif
      break;

The function is called whenever the iod->sd bit is set in either
fds_results_r, fds_results_w, or fds_results_x. The code is saying, if
it was not because fds_results_r was set (presumably fds_results_w was
set--the socket is writable), then do a 0-length send to test if the
socket really is writable.

The code predates the public Subversion repository, so I can't get a log
message from when it was added.

This code is problematic for a couple of reasons. First, this breaks
SCTP connections, because SCTP does not support 0-length sends. You an
"Invalid argument" error. http://seclists.org/nmap-dev/2009/q3/0088.html.
Second, I found now that UDP connects are also routed through
handle_connect_result, Nsock UDP connections are sending a packet with
an empty payload right after connection.

Fyodor, I suppose that you wrote this check originally. Do you remember
what it works around?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org