From silvio Mon Sep 30 00:04:18 2002 Return-Path: Received: (from silvio@localhost) by big.net.au (8.11.0/8.11.0) id g8U74Ho06646; Mon, 30 Sep 2002 00:04:17 -0700 Date: Mon, 30 Sep 2002 00:04:17 -0700 From: silvio@big.net.au To: full-disclosure@lists.netsys.com Subject: THREATCON back up! Message-ID: <20020930000417.A6586@hamsec.aurora.sfo.interquest.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Status: RO Content-Length: 1182 Lines: 39 ok.. THREATCON(tm) is back up after resolving the previous segv issuess. unfortunately - one of our research boxes was denial of serviced when it ran out of file descriptors. openbsd/src/sbin/ancontrol/ancontrol.c has some code that does this main if (s) close(s); return (0); well.. here at THREATCON research labs, we use execve wrappers around this binary, where we do a close(0) to cut down on file descriptor usage, before exec. for the above program, we noticed that the above close(s) didn't actually close the socket because 0 is a valid file descriptor - and was returned from a socket call, after we did the close(0) also what about -1 in the above code? erm, nevermind. the recommended patch is to remove the condition competely, since before that it will exit() if socket() fails (where it checks for s < 0). also. it is suspected that some code out there does fd checks like this if (fd <= 0) failure this is noteably incorrect, because as stated prior, 0 is a valid fd. I recommend full auditing of all error checking associated with obtaining a fd! THREATCON status of "gravelly road", did not change with the release of this advisory. -- Silvio