Closed
Bug 106496
Opened 24 years ago
Closed 23 years ago
PR_NewTCPSocketPair: not checking source of connection
Categories
(NSPR :: NSPR, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
4.2
People
(Reporter: KaiE, Assigned: wtc)
References
Details
Attachments
(2 files)
|
1.39 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.43 KB,
patch
|
Details | Diff | Splinter Review |
This bug seems to apply to Windows and Mac, but not to Linux/Unix.
NSPR uses PR_NewTCPSocketPair to create a pair of connected sockets. The server
socket listens on the loopback device, meaning that programs running on the same
machine as an application could try to connect to this socket.
To avoid the possibility that a malicious program could try to exploit this
behaviour in any way, only NSPR itself should be able to connect to itself.
Currently, NSPR does not check that the source socket connecting to the server
socket is the intended socket created by NSPR.
|
Reporter | |
Comment 1•24 years ago
|
||
|
Assignee | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 4.2
|
|
Assignee | |
Comment 2•23 years ago
|
||
Fix checked into the tip of NSPR.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 3•23 years ago
|
||
I found that I haven't fixed the "WINNT" version of
PR_NewTCPSocketPair(). More work to do.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 4•23 years ago
|
||
|
|
Assignee | |
Comment 5•23 years ago
|
||
The WINNT patch has been checked into the tip of NSPR.
Status: REOPENED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•