ports/188342: [PATCH] www/aws tries to bind to loopback address

Natacha Porté natbsd at instinctive.eu
Mon Apr 7 11:30:03 UTC 2014 

>Number:         188342
>Category:       ports
>Synopsis:       [PATCH] www/aws tries to bind to loopback address
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 07 11:30:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Natacha Porté
>Release:        9.2-RELEASE
>Organization:
>Environment:
FreeBSD nat.rebma.instinctive.eu 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root at bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
To build an internal socket pair, www/aws listens on a socket bound to 127.0.0.1 and connected to it, returning connected and accepted sockets after some sanity checks (and closing the listening socket).

One of those sanity checks is that the address of the remote peer of the accepted socket is indeed 127.0.0.1.

However in a jailed environment, binding to 127.0.0.1 might not be possible, and is instead silently interpreted as binding to the main IP address of the jail (e.g. 172.16.0.2). During the connection, 127.0.0.1 is reinterpreted as well, so the connection is successful. However the sanity check fails, because remote address is not 127.0.0.1 but 127.16.0.2.

Since this is an issue only because of a pecuilarity in FreeBSD jail environment, I don't believe this issue to be worth reporting upstream.

Attached to this PR is a patch that changes the sanity check from comparing against hardcoded "127.0.0.1" to comparing against the address associated with the connected socket, which keeps the intent of the code.
>How-To-Repeat:
Start a program that uses www/aws to listen for HTTP connections (www/aws-demos provides a bunch of them), inside a jailed environment that doesn't inherit host network interface and that doesn't have 127.0.0.1 as one of its aliases.

It will fail after about 250ms (internal timeout of the socket connection described above).
>Fix:
Add the attached patch as ports/www/aws/files/patch-src_core_aws-net.adb

Patch attached with submission follows:

--- src/core/aws-net.adb.orig	2014-04-03 07:44:04.691630539 +0200
+++ src/core/aws-net.adb	2014-04-03 15:48:00.868957657 +0200
@@ -439,7 +439,7 @@
 
          --  to be shure that it is S1 and S2 connected together
 
-         exit when Peer_Addr (STC (S2)) = Local_Host
+         exit when Peer_Addr (STC (S2)) = Get_Addr (STC (S1))
            and then Peer_Port (STC (S2)) = Get_Port (STC (S1))
            and then Peer_Port (STC (S1)) = Get_Port (STC (S2));
 


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list