Date: Sun, 9 May 1999 07:28:06 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: sthaug@nethelp.no, Don.Lewis@tsc.tdk.com Cc: wes@softweyr.com, toasty@HOME.DRAGONDATA.COM, security@FreeBSD.ORG Subject: Re: KKIS.05051999.003b Message-ID: <199905091428.HAA20849@salsa.gv.tsc.tdk.com> In-Reply-To: sthaug@nethelp.no "Re: KKIS.05051999.003b" (May 9, 3:13pm)
next in thread | raw e-mail | index | archive | help
On May 9, 3:13pm, sthaug@nethelp.no wrote: } Subject: Re: KKIS.05051999.003b } Okay, but why should the *standalone* version of the client receive any } message at all (which it does: a zero length message) when there's no } sender involved at all? I think this is part of bug number 2. What appears to be happening is that the client does sendto() and then does recvmsg() which returns and then the client continues on to do the next unlink() before the server wakes up and does its sendmsg(). When the server finally gets around to executing sendmsg(), the client has already unlinked the socket that the server is trying to send its reply to, causing the sendmsg() to fail and leak the descriptor that is being passed. The UFS vs MFS effect that I observed apparently affects the timing. If I add a sleep() call in the client before the recvmsg(), everything works as it should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905091428.HAA20849>