[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug: svnserve fail to detect it is already running

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 9 Jul 2010 17:44:31 +0200

On Fri, Jul 09, 2010 at 09:36:05AM -0500, Peter Samuelson wrote:
>
> [Stefan Sperling]
> > This doesn't make any sense.
> > I don't understand how an OS can allow a user process to break
> > a system service simply by binding a socket to the same port.
>
> And yet ... http://msdn.microsoft.com/en-us/library/ms740621%28VS.85%29.aspx
>
> Once the second socket has successfully bound, the behavior for all
> sockets bound to that port is indeterminate. For example, if all of
> the sockets on the same port provide TCP service, any incoming TCP
> connection requests over the port cannot be guaranteed to be
> handled by the correct socket — the behavior is non-deterministic.

Gasp! That's just crazy.

> From that article, it appears SO_REUSEADDR means something rather
> different in Windows than in Unix.
>
> Likewise, an "active" TCP port is a port that is currently in one
> of the following states: ESTABLISHED, FIN_WAIT, FIN_WAIT_2, or
> LAST_ACK. Ports without SO_EXCLUSIVEADDRUSE set may be reused as
> soon as the socket on which bind was previously called is closed.
>
> So here's how I interpret the situation:
>
> Windows Unix Meaning
> -------------------------------------------------------------------
> default SO_REUSEADDR Can reuse a socket immediately
> after you close it, without
> waiting for the other end of the
> connection to close (or time out)
>
> SO_EXCLUSIVEADDR default Cannot reuse a socket until both
> ends of all connections have
> closed them (or timed out)
>
> SO_REUSEADDR not possible Unsafe!
>
> Of course what we want is the first case.

As far as I can tell there is little we can do to secure svnserve
against this attack on Windows systems other than Server 2003,
because APR won't let us set the SO_EXCLUSIVEADDR option.
apr_socket_t is opaque so there seems to be no way svnserve can get
at the actual socket.

Not setting SO_REUSEADDR on Windows should at least fix the problem
for Windows Server 2003 (patch below).

Maybe we should rewrite svnserve to use the native socket API directly?

I wonder how the Apache httpd server deals with this problem...

Index: subversion/svnserve/main.c
===================================================================
--- subversion/svnserve/main.c (revision 962479)
+++ subversion/svnserve/main.c (working copy)
@@ -729,9 +729,18 @@
       return svn_cmdline_handle_exit_error(err, pool, "svnserve: ");
     }
 
+#ifndef WIN32
   /* Prevents "socket in use" errors when server is killed and quickly
- * restarted. */
+ * restarted.
+ *
+ * We must not set the SO_REUSEADDR socket option on Windows because
+ * it allows denial-of-service attacks against svnserve.
+ * http://msdn.microsoft.com/en-us/library/ms740621%28VS.85%29.aspx
+ *
+ * Unfortunately, APR does not support the SO_EXCLUSIVEADDRUSE option.
+ */
   apr_socket_opt_set(sock, APR_SO_REUSEADDR, 1);
+#endif
 
   status = apr_socket_bind(sock, sa);
   if (status)
Received on 2010-07-09 17:45:15 CEST

This is an archived mail posted to the Subversion Dev mailing list.