Usage of SO_REUSEADDR is confusing on Windows and might pose a security issue

Question

Usage of SO_REUSEADDR is confusing on Windows and might pose a security issue

Opened this issue 10 months ago · 0 comments

Hunchentoot calls socket-listen with :reuseaddress t (which is deprecated and :reuse-address should be used)

This behavior is confusing on Windows as it wont raise EADDRINUSE on listen when existing sockets exist on the same port. It will gladly bind the port, having two processes listening on the same port. Only the first socket will receive all data until it stops. But for the other socket, everything looks fine, it just doesn't receive any data.

Took me a while to find this out as it's different from other operating systems, and frankly a quite strange default as it looks like things are fine when in practice you won't get any data.

This could also bea security risk as someone can "steal" hunchentoot traffic by binding the same port and wait for an application restart. Or bind it before hunchentoot starts.

So maybe the default should change? Or at least make it configurable