Create_Selector creates a signalling socket in an unsafe way. A malicious local user (or, if the host implements a sufficiently weak end system model, someone on the local network) can connect to the newly created socket before the application itself, thereby disrupting normal operation. Release: GCC 3.1, mainline Environment: Any platform that supports GNAT.Sockets.
Fix: Switch back to using pipes instead sockets for signalling, as in GNAT 3.14p. On platforms which do not have pipes, use UDP for signalling, and add some kind of check that the triggering UDP packet really originated from the program itself.
From: Dara Hazeghi <dhazeghi@yahoo.com> To: gcc-gnats@gcc.gnu.org, fw@deneb.enyo.de Cc: Subject: Re: ada/6717: Race condition in GNAT.Sockets.Create_Selector Date: Sat, 10 May 2003 16:48:28 -0700 http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit- trail&database=gcc&pr=6717 Hello, gcc 3.1 is by now rather old. Is it possible for you to determine whether this problem still exists on gcc 3.3 branch or current mainline? Thanks, Dara
From: Dara Hazeghi <dhazeghi@yahoo.com> To: Florian Weimer <fw@deneb.enyo.de> Cc: gcc-gnats@gcc.gnu.org Subject: Re: ada/6717: Race condition in GNAT.Sockets.Create_Selector Date: Sun, 11 May 2003 17:15:11 -0700 (PDT) --- Florian Weimer <fw@deneb.enyo.de> wrote: > Dara Hazeghi <dhazeghi@yahoo.com> writes: > > > gcc 3.1 is by now rather old. Is it possible for > you to determine > > whether this problem still exists on gcc 3.3 > branch or current > > mainline? Thanks, > > AFAIK, no Ada code in this area has been changed. Thanks for the update. Sorry that there hasn't been any progress... Dara __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Use more reasonable priority. Critical should be reserved for bugs that make the compiler unusable on a previously working platform.
Please check whether this is still the case on the minaline and if so, please file a test case exposing the problem, or give more details as to what code precisely is wrong, thanks. Arno
Subject: Re: Race condition in GNAT.Sockets.Create_Selector In Create_Selector, the call to C_Accept might accept a connection that is not the one that was started a couple of lines above. The code does not deal with that situation in any way.
Reopening for investigation. Arno
Subject: Bug 6717 CVSROOT: /cvs/gcc Module name: gcc Changes by: charlet@gcc.gnu.org 2005-06-16 08:41:50 Modified files: gcc/ada : g-socket.ads g-socket.adb Log message: 2005-06-14 Thomas Quinot <quinot@adacore.com> PR ada/6717 * g-socket.ads, g-socket.adb (Inet_Addr): Special case the all-ones broadcast address. (Create_Selector): Bind listening socket used to create the signalling socket pair to 127.0.0.1 to limit the scope for 'theft' of connection. Set listen backlog to 1 to ensure that we detect socket theft by a failure of our own connect(2) call. (Check_Selector): Improve documentation of the selector mechanism. (Broadcast_Inet_Addr): New constant. Patches: http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ada/g-socket.ads.diff?cvsroot=gcc&r1=1.12&r2=1.13 http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ada/g-socket.adb.diff?cvsroot=gcc&r1=1.13&r2=1.14
Fixed on mainline. Arno