Vulnerability Development mailing list archives

FreeBSD listen() again

From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Sat, 30 Oct 1999 17:08:52 +0400


Hello vulN-DEV@,

 I wasn't right in defining the problem for backlog in listen()

  as it was correctly pointed by Sebastian <scut () nb in-berlin de>:

-=-=-=-=-
For some unknown reasons berkeley derived implementations multiply backlog
with 1.5. (backlog = 5 will turn to 8 for example).
-=-=-=-=-

  It seems real queue length is counted as
     backlog + (backlog+1)>>1

  that's  why  listen(sock,  1)  will never work as it should. It will
  allow  to  establish  2 connections. It's for both FreeBSD 2.2.x and
  3.x, so the problem is even deeper.

         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
X5O!X5O!P@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Current thread:

Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
  - Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)