Date: Sun, 9 May 1999 07:06:07 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Don Lewis <Don.Lewis@tsc.tdk.com>, sthaug@nethelp.no Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b Message-ID: <199905091406.HAA20815@salsa.gv.tsc.tdk.com> In-Reply-To: Don Lewis <Don.Lewis@tsc.tdk.com> "Re: KKIS.05051999.003b" (May 9, 6:48am)
next in thread | previous in thread | raw e-mail | index | archive | help
On May 9, 6:48am, Don Lewis wrote: } Subject: Re: KKIS.05051999.003b } FLASH! Now this is really wierd. The original exploit code doesn't show } any signs leaking descriptors on one of our 3.1-stable machines, but } /tmp (where the sockets are created) is mfs. If I change PATH and } PATH_TMP so that they point to /var/tmp, sendmsg() fails with with } ECONNREFUSED after the first iteration and descriptors are leaked. } } I might believe that descriptors could be leaked if sendmsg() fails this } way, but why would sendmsg() fail if the sockets live in a ufs filesystem } but not if the sockets live in a mfs filesystem? Ok, the first bug is in uipc_send(). If an error occurs between unp_internalize() and release:, then the work that unp_internalize() did needs to be undone. Probably something like: if (control && error != 0) unp_dispose(control); right before release: would do the trick. I haven't a clue about what appears to be bug number 2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905091406.HAA20815>