Hi!
Klaus Schmidinger schrieb:
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally, anyway.
AFAIK one can only bind an IP socket to a local address (usually corresponding to a network interface, e.g. 127.0.0.1) or 0.0.0.0, so if I want to accept SVDRP _from_ a specific address via eth0, I have to bind to the address configured on eth0.
As I get the peer address via accept(), I can directly determine if I want to "risk" talking to (or even reading from) it, I assume VDR does exactly this by looking up the address in svdrphosts.conf.
IMHO: If there is a vulnerability that is effective when one only calls accept(), this is a problem of the OS (Kernel/libc). If one is really paranoid, there's always netfilter.
Ciao
Martin