Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-1265383

Socket code allows illegal port numbers to reach SecurityManager

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      sparc
    • OS:
      generic

      Description


      The JDK socket classes do range checks to check for valid port numbers:

          public Socket(String host, int port, boolean stream) throws IOException {
              this();

              String hostCopy = new String(host);

              SecurityManager security = System.getSecurityManager();
              if (security != null) {
                  hostCopy = InetAddress.getByName(hostCopy).getHostAddress();
                  security.checkConnect(hostCopy, port);
               }

               if (port < 0 || port > 0xFFFF) {
                   throw new IllegalArgumentException("port out range:"+port);
               }

      However the range check always occurs *after* the SecurityManager
      gets to look at it. This means that the SecurityManager can get bogus
      port numbers.

      I think any argument validation check should be done before the
      argument is used.

      I believe this affects Socket, ServerSocket, and DatagramSocket.

      sritchie -- 26 Aug 96

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            duke J. Duke (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: