Comments (7)
I decided to pick up the work where @vhbit left off and get the final patch into mio. I wanted to write a test case for this too and could not for the life of me get the event loop to detect a message sent with MSG_OOB
. Finally, it dawned on me that maybe this was patched by Apple themselves. Lo and behold, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1105 documents the fix.
We should update the documentation to warn people that the TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets.
from mio.
This is awesome. I heartily agree that we should force the distinction between READ events and OOB events.
from mio.
👍 are you interested in working on this? It probably should be part of ReadHint
?
Also, it may just be better to disable out of band data by default? It looks like this can be done with a sockopt: SO_OOBINLINE
from mio.
@carllerche FWIW, that's how we "fixed" it on libuv.
from mio.
@carllerche yep, if it's not a rush, I can work on it around Tuesday or
Wednesday (as Easter is coming to my part of the world)
from mio.
@vhbit looking forward to this :)
from mio.
Given that this issue has been patched by apple in all versions of OS X 10.10 and greater (which is pretty old at this point), and the worst case scenario is that the process locks, it seems to me as it is safe to close this.
from mio.
Related Issues (20)
- Official ESP-IDF framework support HOT 3
- Make `CompletionPort` public? HOT 7
- No data coming from Poll HOT 8
- Difference behaves between Linux and Windows HOT 2
- How to wait for a socket to be writable? udp / Interest::READABLE | Interest::WRITABLE HOT 6
- could not compile mio due to 44 previous errors HOT 3
- WakerRegistrar mentioned in comment is not present HOT 2
- Decide MSRV for v1 HOT 2
- Use rustix instead of libc HOT 2
- Document MSRV policy HOT 1
- Update socket types API to match std lib HOT 5
- unresolved imports in target xtensa-esp32-espidf HOT 7
- `syscall!` macros hide unsafe code HOT 2
- why is it possible to create a mio TcpStream from std TcpStream but going the other way around is unsafe? HOT 13
- peek blocks after read on windows HOT 7
- Poll changing interest of server socket on Windows HOT 1
- Cannot continue listen! HOT 2
- Walker failure on Linux HOT 6
- Crash at GetQueuedCompletionStatusEx in dll HOT 4
- Is the implementation of the timer incomplete? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mio.