From owner-freebsd-hackers  Thu Jan 21 21:29:47 1999
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA19055
          for freebsd-hackers-outgoing; Thu, 21 Jan 1999 21:29:47 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19035
          for <hackers@freebsd.org>; Thu, 21 Jan 1999 21:29:42 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.2/8.9.1) id VAA47602;
	Thu, 21 Jan 1999 21:29:33 -0800 (PST)
	(envelope-from dillon)
Date: Thu, 21 Jan 1999 21:29:33 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199901220529.VAA47602@apollo.backplane.com>
To: hackers@FreeBSD.ORG
Subject: sorflush() bug fix in uipc_usrreq.c -- need someone to review this
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

    This fix is currently comitted to -4.x.  I don't want to backport it to
    -3.x until I get an independant review.

    This code is ( I believe ) part of the message queue flushing for 
    typically unix domain sockets, relating to file descriptor passing.
    This code is attempting to flush the in-transit file descriptors when
    both sides of the connection go poof.

    The problem ( I believe ) is that it is calling sorflush() potentially
    on non-sockets.  While most uses of file descriptor passing pass only
    sockets, if this bug is hit for those uses that do not, it could corrupt
    kernel memory or cause a crash.

    I need someone to check the code and tell me I'm not blowing smoke before
    I backport this :-)

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

*** uipc_usrreq.c       1998/10/25 17:44:51     1.37
--- uipc_usrreq.c       1999/01/21 08:03:49
***************
*** 1114,1121 ****
        /*
         * for each FD on our hit list, do the following two things
         */
!       for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
!               sorflush((struct socket *)(*fpp)->f_data);
        for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
                closef(*fpp, (struct proc *) NULL);
        free((caddr_t)extra_ref, M_FILE);
--- 1114,1124 ----
        /*
         * for each FD on our hit list, do the following two things
         */
!       for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) {
!               struct file *tfp = *fpp;
!               if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL)
!                       sorflush((struct socket *)(tfp->f_data));
!       }


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message