From owner-cvs-all  Mon May 10 12: 5:46 1999
Delivered-To: cvs-all@freebsd.org
Received: from burka.rdy.com (burka.rdy.com [205.149.163.30])
	by hub.freebsd.org (Postfix) with ESMTP
	id D660A14D9B; Mon, 10 May 1999 12:05:42 -0700 (PDT)
	(envelope-from dima@burka.rdy.com)
Received: (from dima@localhost)
	by burka.rdy.com (8.9.3/RDY&DVV) id MAA29210;
	Mon, 10 May 1999 12:05:26 -0700 (PDT)
Message-Id: <199905101905.MAA29210@burka.rdy.com>
Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c
In-Reply-To: <199905101901.MAA24520@salsa.gv.tsc.tdk.com> from Don Lewis at "May 10, 1999 12:01:06 pm"
To: Don.Lewis@tsc.tdk.com (Don Lewis)
Date: Mon, 10 May 1999 12:05:26 -0700 (PDT)
Cc: nate@mt.sri.com (Nate Williams),
	truckman@FreeBSD.org (Don Lewis), cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

Don Lewis writes:
> I'm pretty sure that's a different leak.  The KKIS (unintentionally I
> think) exploits a bug in the code that implements the passing of
> descriptors across Unix domain datagram sockets.  If there is a failure in
> the middle of the operation, there is an extra reference to the descriptor
> which is being passed that gets orphaned.  The reason I think this exploit
> is unintentional in FreeBSD >= 3.1, is that it exploits another bug in
> older versions of FreeBSD that pretty quickly provokes a panic.  The
> descriptor leak takes longer to DoS the machine.
> 
> BTW, should someone prepare a patch for both bugs in 2.2.X?

I was just gonna suggest this. We still use 2.x-stable in the production
enviroment.

> 
> I haven't observed the other leak.  It looks like a problem with stream
> sockets.
> 

-- dima


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message