From owner-freebsd-bugs Mon Mar 12 3:30:11 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E9FAD37B71C for ; Mon, 12 Mar 2001 03:30:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CBU2p99749; Mon, 12 Mar 2001 03:30:02 -0800 (PST) (envelope-from gnats) Received: from Unicorn.Forest.Od.UA (Forest-2M-EuroPort.Forest.Od.UA [195.138.69.214]) by hub.freebsd.org (Postfix) with ESMTP id 66F4237B719 for ; Mon, 12 Mar 2001 03:24:16 -0800 (PST) (envelope-from unicorn@Unicorn.Forest.Od.UA) Received: (from unicorn@localhost) by Unicorn.Forest.Od.UA (8.11.3/8.11.3) id f2CBOLZ99380 for FreeBSD-gnats-submit@freebsd.org; Mon, 12 Mar 2001 13:24:21 +0200 (EET) (envelope-from unicorn) Message-Id: <200103121124.f2CBOLZ99380@Unicorn.Forest.Od.UA> Date: Mon, 12 Mar 2001 13:24:21 +0200 (EET) From: unicorn@Forest.Od.UA Reply-To: unicorn@Forest.Od.UA To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: kern/25732: Patch against crash caused by operations with half-binded sockets. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25732 >Category: kern >Synopsis: Patch against crash caused by operations with half-binded sockets. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Mar 12 03:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Winged Unicorn >Release: FreeBSD 5.0-CURRENT i386 >Organization: Valhala >Environment: System: FreeBSD Unicorn.Forest.Od.UA 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Feb 21 20:56:33 EET 2001 root@Unicorn.Forest.Od.UA:/usr/src/sys/compile/FOREST i386 Working jail environment with NIS/YP installed. >Description: If bind() call fails to allocate port due `prison_ip' permission failure, socket left in half-binded state (bind returns an error, but doesn't undo socket state (in case of failure bind should left inp_laddr.s_addr == INADDR_ANY && inp_lport == 0, indicating, that socket is NOT yet binded)). In upper case `bind' aborted, left in binded state, but doesn't inserted in hashlists (in_pcbinshash). Any operations with such sockets will cause dereferencing of hash pointers and lead to crash. >How-To-Repeat: In jail with NIS/YP environment type `id some_nis_user'. >Fix: `cvs diff in_pcb.c' follows: Index: in_pcb.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v retrieving revision 1.81 diff -r1.81 in_pcb.c 275c275,281 < if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr )) --- > if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr )) { > /* > * Undo any address bind that may have > * occurred above. > */ > inp->inp_laddr.s_addr = INADDR_ANY; > 276a283 > } 284c291,296 < if (p && (error = suser_xxx(0, p, PRISON_ROOT))) --- > if (p && (error = suser_xxx(0, p, PRISON_ROOT))) { > /* > * Undo any address bind that may have > * occurred above. > */ > inp->inp_laddr.s_addr = INADDR_ANY; 285a298 > } 309,312d321 < /* < * Undo any address bind that may have < * occurred above. < */ 346,347c355,361 < if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr)) < return(EINVAL); --- > > if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr)) { > inp->inp_laddr.s_addr = INADDR_ANY; > inp->inp_lport = 0; > return (EINVAL); > } > >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message