Date: Tue, 11 Apr 2017 22:25:14 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 131876] [socket] FD leak by receiving SCM_RIGHTS by recvmsg with small control message buffer Message-ID: <bug-131876-2472-co6dcqPsaE@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-131876-2472@https.bugs.freebsd.org/bugzilla/> References: <bug-131876-2472@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D131876 Mark Johnston <markj@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|rwatson@FreeBSD.org |freebsd-net@FreeBSD.org CC| |markj@FreeBSD.org Status|In Progress |Open --- Comment #3 from Mark Johnston <markj@FreeBSD.org> --- It looks to me as though the loop in kern_recvit() which sets MSG_CTRUNC ne= eds to use dom_dispose to ensure that the remaining rights are closed before the mbuf is freed. Unfortunately, dom_dispose wants a socket rather than an mbuf - this= was changed in r285522 to fix a race between unp_dispose() and unp_gc(). Howeve= r, in this case the truncated mbuf will have already been removed from the soc= ket buffer, so we don't need to worry about the race. (If MSG_PEEK is set, the rights will still be present in the sockbuf and we needn't do anything.) So, to fix this we'd either need a way to invoke dom_dispose on a plain mbuf (i.e., the KPI prior to r285522), or we need to fake up a socket like sorflush() does. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-131876-2472-co6dcqPsaE>