From owner-freebsd-current@FreeBSD.ORG Sun Apr 4 03:53:09 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 514FF16A4CF; Sun, 4 Apr 2004 03:53:09 -0700 (PDT) Received: from relay.macomnet.ru (relay.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4809C43D5C; Sun, 4 Apr 2004 03:53:08 -0700 (PDT) (envelope-from maxim@macomnet.ru) Received: from mp3 (7ckii6so@mp3files.int.ru [195.128.64.20]) by relay.macomnet.ru (8.12.10/8.12.10) with ESMTP id i34Ar5OB11060880; Sun, 4 Apr 2004 14:53:06 +0400 (MSD) Date: Sun, 4 Apr 2004 14:53:05 +0400 (MSD) From: Maxim Konovalov To: Ryan Sommers In-Reply-To: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> Message-ID: <20040404144858.H26420@mp3files.int.ru> References: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: truckman@freebsd.org cc: current@freebsd.org Subject: Re: Panic from bad length parameter in bind (Possible DOS attack) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 10:53:09 -0000 [ CC'ed truckman, an author of rev. 1.92 tcp_usrreq.c ] On Sat, 3 Apr 2004, 14:21-0700, Ryan Sommers wrote: > Whenever I supply a length of 4 as the final bind parameter I get the > following panic. Looks like bind returns fine, however, when the program > exits it stumbles over some mutex associated with the descriptor. The > mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find > where the call to bind was clobbering the mutex but couldn't. I attached > the simple program to exploit this. I was able to do it as a regular user. > > panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed > at /usr/src/sys/kern/kern_mutex.c:848 > panic messages: > --- > panic: Assertion (m->mtx_lock & (MTX_RECURSED|MTX_CONTESTED)) == 0 failed > at /usr/src/sys/kern/kern_mutex.c:8485B > at line 848 in file /usr/src/sys/kern/kern_mutex.c > Debugger("panic") [...] Try this: Index: tcp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_usrreq.c,v retrieving revision 1.95 diff -u -r1.95 tcp_usrreq.c --- tcp_usrreq.c 16 Feb 2004 22:21:16 -0000 1.95 +++ tcp_usrreq.c 4 Apr 2004 10:41:14 -0000 @@ -245,8 +245,10 @@ * to them. */ sinp = (struct sockaddr_in *)nam; - if (nam->sa_len != sizeof (*sinp)) - return (EINVAL); + if (nam->sa_len != sizeof (*sinp)) { + error = EINVAL; + goto out; + } if (sinp->sin_family == AF_INET && IN_MULTICAST(ntohl(sinp->sin_addr.s_addr))) { error = EAFNOSUPPORT; @@ -276,8 +278,10 @@ * to them. */ sin6p = (struct sockaddr_in6 *)nam; - if (nam->sa_len != sizeof (*sin6p)) - return (EINVAL); + if (nam->sa_len != sizeof (*sin6p)) { + error = EINVAL; + goto out; + } if (sin6p->sin6_family == AF_INET6 && IN6_IS_ADDR_MULTICAST(&sin6p->sin6_addr)) { error = EAFNOSUPPORT; @@ -371,8 +375,10 @@ * Must disallow TCP ``connections'' to multicast addresses. */ sinp = (struct sockaddr_in *)nam; - if (nam->sa_len != sizeof (*sinp)) - return (EINVAL); + if (nam->sa_len != sizeof (*sinp)) { + error = EINVAL; + goto out; + } if (sinp->sin_family == AF_INET && IN_MULTICAST(ntohl(sinp->sin_addr.s_addr))) { error = EAFNOSUPPORT; @@ -405,8 +411,10 @@ * Must disallow TCP ``connections'' to multicast addresses. */ sin6p = (struct sockaddr_in6 *)nam; - if (nam->sa_len != sizeof (*sin6p)) - return (EINVAL); + if (nam->sa_len != sizeof (*sin6p)) { + error = EINVAL; + goto out; + } if (sin6p->sin6_family == AF_INET6 && IN6_IS_ADDR_MULTICAST(&sin6p->sin6_addr)) { error = EAFNOSUPPORT; %%% -- Maxim Konovalov