Potential problem with OOB data on OS X about mio HOT 7 CLOSED

I decided to pick up the work where @vhbit left off and get the final patch into mio. I wanted to write a test case for this too and could not for the life of me get the event loop to detect a message sent with MSG_OOB. Finally, it dawned on me that maybe this was patched by Apple themselves. Lo and behold, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1105 documents the fix.

We should update the documentation to warn people that the TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets.

from mio.

This is awesome. I heartily agree that we should force the distinction between READ events and OOB events.

from mio.

👍 are you interested in working on this? It probably should be part of ReadHint?

Also, it may just be better to disable out of band data by default? It looks like this can be done with a sockopt: SO_OOBINLINE

from mio.

@carllerche FWIW, that's how we "fixed" it on libuv.

from mio.

@carllerche yep, if it's not a rush, I can work on it around Tuesday or
Wednesday (as Easter is coming to my part of the world)

from mio.

@vhbit looking forward to this :)

from mio.

Given that this issue has been patched by apple in all versions of OS X 10.10 and greater (which is pretty old at this point), and the worst case scenario is that the process locks, it seems to me as it is safe to close this.

from mio.