From owner-freebsd-current@FreeBSD.ORG Tue Apr 6 09:35:54 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B8B716A4CF for ; Tue, 6 Apr 2004 09:35:54 -0700 (PDT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9678243D54 for ; Tue, 6 Apr 2004 09:35:53 -0700 (PDT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 8B245ACAEE; Sun, 4 Apr 2004 00:32:30 +0200 (CEST) Date: Sun, 4 Apr 2004 00:32:30 +0200 From: Pawel Jakub Dawidek To: Ryan Sommers Message-ID: <20040403223230.GC613@darkness.comp.waw.pl> References: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline In-Reply-To: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: current@freebsd.org Subject: Re: Panic from bad length parameter in bind (Possible DOS attack) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2004 16:35:54 -0000 --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote: +> Whenever I supply a length of 4 as the final bind parameter I get the +> following panic. Looks like bind returns fine, however, when the program +> exits it stumbles over some mutex associated with the descriptor. The +> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find +> where the call to bind was clobbering the mutex but couldn't. I attached +> the simple program to exploit this. I was able to do it as a regular use= r. Yes, could you try this patch: http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAbzt+ForvXbEpPzQRAsqtAJ4ictPclPyW5vZWENyEJo3ipiGzbQCgp58h Te/ADQaxPkVzM/0JNPapyAs= =uVJG -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6--