Maybe the Cc:-ed TCP gods have a better idea what is really going
on? :)
The networking gods have known about this bug for a few weeks now,
the issue is that I haven't found yet a satisfactory fix which is safe
enough for 2.2.x, I guess I know what I'm working on this weekend.
A more efficient version of the "exploit" btw is:
fd1 = socket();
fd2 = socket();
on = 1;
setsockopt(fd1, SO_REUSEADDR, &on);
setsockopt(fd2, SO_REUSEADDR, &on);
bind(fd1, 1024);
bind(fd2, 1024);
close(fd2);
sleep(5);
... do something with fd1 like try to connect it etc.
somthing like that, instant crash.
The final fix will probably involve just fully hashing sockets from
BIND onward, instead of waiting for the socket to move away from
TCP_CLOSE which is what we do now, and is a primary source of the
problems.
Another solution involves true reference counters on the bind buckets.
This one may be easier to say "fixes it and yes it is obviously
correct".
I'll go see which one is best...
Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/