Date: Thu, 21 Jan 1999 21:29:33 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: hackers@FreeBSD.ORG Subject: sorflush() bug fix in uipc_usrreq.c -- need someone to review this Message-ID: <199901220529.VAA47602@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
This fix is currently comitted to -4.x. I don't want to backport it to
-3.x until I get an independant review.
This code is ( I believe ) part of the message queue flushing for
typically unix domain sockets, relating to file descriptor passing.
This code is attempting to flush the in-transit file descriptors when
both sides of the connection go poof.
The problem ( I believe ) is that it is calling sorflush() potentially
on non-sockets. While most uses of file descriptor passing pass only
sockets, if this bug is hit for those uses that do not, it could corrupt
kernel memory or cause a crash.
I need someone to check the code and tell me I'm not blowing smoke before
I backport this :-)
-Matt
Matthew Dillon
<dillon@backplane.com>
*** uipc_usrreq.c 1998/10/25 17:44:51 1.37
--- uipc_usrreq.c 1999/01/21 08:03:49
***************
*** 1114,1121 ****
/*
* for each FD on our hit list, do the following two things
*/
! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
! sorflush((struct socket *)(*fpp)->f_data);
for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
closef(*fpp, (struct proc *) NULL);
free((caddr_t)extra_ref, M_FILE);
--- 1114,1124 ----
/*
* for each FD on our hit list, do the following two things
*/
! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) {
! struct file *tfp = *fpp;
! if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL)
! sorflush((struct socket *)(tfp->f_data));
! }
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901220529.VAA47602>