Date: Sat, 4 Sep 1999 18:10:13 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Nick Hibma <hibma@skylink.it>, FreeBSD -- The Power to Serve <geniusj@free-bsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-security@FreeBSD.ORG Subject: Re: FW: Local DoS in FreeBSD Message-ID: <199909050110.SAA63819@apollo.backplane.com> References: <Pine.BSF.4.10.9909042003450.76486-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
: :Whatever's in login.conf? :) Would you mind helping me out with :http://www.FreeBSD.org/~green/sbsize2.patch? The KASSERT() fails :in some cases, which I need help tracking down. :... : Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ Hmmm. I see a problem, but it may not be the cause of your problem. 'ui_proccnt == 0 && ui_sbsize == 0' may not be sufficient to determine when a uip can be deleted, because a root process can change it's uid (resulting in the old uip's proccnt possibly going to 0) and a socket buffer can be set to 0-length during a shutdown() operation, possibly causing ui_sbsize to go to zero. Thus both fields may end up zero, a reference to the uip may remain associated with the socket, and chgproccnt may free the underlying uip. I think what you need is a direct pointer reference to the uip from the socket. This would require a ui_refcount be kept on the uip, since ui_proccnt isn't really a general ref count in of itself. I suspect that you may still hit the KASSERT, that there is something we are still missing, but this should help. -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909050110.SAA63819>