Date: Sun, 14 Feb 1999 14:33:10 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: hackers@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: Again: sorflush() bug fix in uipc_usrreq.c -- need someone to review this Message-ID: <Pine.BSF.3.95.990214143100.11800B-100000@current1.whistle.com> In-Reply-To: <199902142053.MAA07985@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm not convinced that it may not be impossible to get anything but
socket fds in the 'hitlist' Since to get on it the fd must be involved in
a cyclical reference (see the big comment in prior code).
still the check can't hurt..
julian
On Sun, 14 Feb 1999, Matthew Dillon wrote:
> Nobody but Doug has gotten back to me on this patch, which is in -current
> but not currently in stable. Doug indicated that he wasn't very familiar
> with the area in question.
>
> I think it's pretty important that this patch make it into the 3.1
> release but I would like someone familiar with the code to double-check
> it. If nobody gets back to me today on it I am going to commit it to
> -stable w/ Jordan's permission.
>
> -Matt
> Matthew Dillon
> <dillon@backplane.com>
>
>
> : This fix is currently comitted to -4.x. I don't want to backport it to
> : -3.x until I get an independant review.
> :
> : This code is ( I believe ) part of the message queue flushing for
> : typically unix domain sockets, relating to file descriptor passing.
> : This code is attempting to flush the in-transit file descriptors when
> : both sides of the connection go poof.
> :
> : The problem ( I believe ) is that it is calling sorflush() potentially
> : on non-sockets. While most uses of file descriptor passing pass only
> : sockets, if this bug is hit for those uses that do not, it could corrupt
> : kernel memory or cause a crash.
> :
> : I need someone to check the code and tell me I'm not blowing smoke before
> : I backport this :-)
> :
> : -Matt
> : Matthew Dillon
> : <dillon@backplane.com>
> :
> :*** uipc_usrreq.c 1998/10/25 17:44:51 1.37
> :--- uipc_usrreq.c 1999/01/21 08:03:49
> :***************
> :*** 1114,1121 ****
> : /*
> : * for each FD on our hit list, do the following two things
> : */
> :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
> :! sorflush((struct socket *)(*fpp)->f_data);
> : for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
> : closef(*fpp, (struct proc *) NULL);
> : free((caddr_t)extra_ref, M_FILE);
> :--- 1114,1124 ----
> : /*
> : * for each FD on our hit list, do the following two things
> : */
> :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) {
> :! struct file *tfp = *fpp;
> :! if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL)
> :! sorflush((struct socket *)(tfp->f_data));
> :! }
> :
> :
> :To Unsubscribe: send mail to majordomo@FreeBSD.org
> :with "unsubscribe freebsd-hackers" in the body of the message
> :
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.990214143100.11800B-100000>