Date: Sun, 9 May 1999 05:44:57 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b Message-ID: <199905091244.FAA20637@salsa.gv.tsc.tdk.com> In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 1:17pm)
next in thread | raw e-mail | index | archive | help
On May 9, 1:17pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } > I don't see any obvious descriptor leaks, but the fact that FreeBSD < 3.1 } > panics (probably in unp_gc(), which Matt fixed) indicates that I'm missing } > something. } } A 2.2.8 system I have here panics in sorflush (called from unp_gc()): This is the bug that Matt Dillon fixed just before 3.1-RELEASE, sorflush() is only supposed to be used on descriptors associated with sockets. This exploit code causes sorflush() to be called on a descriptor for an open file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905091244.FAA20637>