Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 May 1999 05:40:27 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Wes Peters <wes@softweyr.com>, Don Lewis <Don.Lewis@tsc.tdk.com>
Cc:        Kevin Day <toasty@HOME.DRAGONDATA.COM>, security@FreeBSD.ORG
Subject:   Re: KKIS.05051999.003b
Message-ID:  <199905091240.FAA20619@salsa.gv.tsc.tdk.com>
In-Reply-To: Wes Peters <wes@softweyr.com> "Re: KKIS.05051999.003b" (May  8, 10:21pm)
next in thread | previous in thread | raw e-mail | index | archive | help 
On May 8, 10:21pm, Wes Peters wrote:
} Subject: Re: KKIS.05051999.003b
} Don Lewis wrote:

} > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1
} > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing
} > something.  The exploit code should not result in any calls to unp_gc(),
} > because the client receives all the descriptors that are sent by the server.
} 
} Actually it doesn't.  If you look up the first message I posted on this
} subject, I listed the error messages it produces, many of which indicated
} the client didn't get a descriptor from the server IIRC.  Maybe that's 
} how the descriptors are being lost; they've been sent on a UNIX domain
} socket and so have to remain open, have been closed by the server, working
} around it's limits, and have not been read by the client?

I think all those messages are the result of running out of descriptors.
If no more descriptors can be created, then socket will fail with ENFILE (23),
and bind(), sendto(), and recvmsg() will fail with EBADF (9), and unlink()
will fail with ENOENT (2).  I'd have to study the code some more to work
out the expected sequence of the errors assuming that no more descriptors
could be created.

The message containing the descriptor to be passed holds a reference to
the descriptor, so it is permissible for the server to close the descriptor
before the client receives the message.  See unp_internalize() and
unp_externalize().  BTW, how does this manage to work on the Alpha,
where sizeof(int) != sizeof(pointer)?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905091240.FAA20619>