Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Oct 2000 01:58:12 +0300 (EEST)
From:      Unicorn@Forest.Od.UA
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/21845: crash, while tring to send udp via half-binded socket from jail
Message-ID:  <200010082258.e98MwCE26166@Guest.Forest.Od.UA>
next in thread | raw e-mail | index | archive | help 

>Number:         21845
>Category:       kern
>Synopsis:       crash, while tring to send udp via half-binded socket from jail
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 08 16:10:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     The Winged Unicorn
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Edem
>Environment:

	jail

>Description:

         While adding stuff for jail sockets binding  limitations roll
back before returning error was missed. `bind'  returns an  error, but
socket became `half-binded', i.e.  laddr was  changed to  some nonzero
value.  When `sendto'  called, pcb  of that  socket proceed,  but it's
list   fields   still   uninitialized.   This   leads   to   crash  in
sendto->...->in_pcbconnect->in_pcbrehash.

>How-To-Repeat:

         Install jail, NIS/YP server on real system served  passwd DB,
NIS/YP client on jail system using  shared passwd  DB. Login  using YP
account and just type 'id', 'finger', or whatever.

>Fix:

Apply patch:

cvs diff: Diffing .
Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.67
diff -r1.67 in_pcb.c
273c273,274
< 		if (prison_ip(p, 0, &inp->inp_laddr.s_addr ))
---
> 		if (prison_ip(p, 0, &inp->inp_laddr.s_addr )) {
> 			inp->inp_laddr.s_addr = INADDR_ANY; /* roll back */
274a276
> 		}
282c284,285
< 			if (p && (error = suser_xxx(0, p, PRISON_ROOT)))
---
> 			if (p && (error = suser_xxx(0, p, PRISON_ROOT))) {
> 				inp->inp_laddr.s_addr = INADDR_ANY; /* roll back */
283a287
> 			}

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010082258.e98MwCE26166>