From owner-cvs-all Mon May 10 12:31: 3 1999 Delivered-To: cvs-all@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id B3C6514E37; Mon, 10 May 1999 12:30:50 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id MAA26602; Mon, 10 May 1999 12:30:27 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id MAA22778; Mon, 10 May 1999 12:30:26 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id MAA24633; Mon, 10 May 1999 12:30:24 -0700 (PDT) From: Don Lewis Message-Id: <199905101930.MAA24633@salsa.gv.tsc.tdk.com> Date: Mon, 10 May 1999 12:30:24 -0700 In-Reply-To: dima@best.net (Dima Ruban) "Re: cvs commit: src/sys/kern uipc_usrreq.c" (May 10, 12:05pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: dima@best.net, Don.Lewis@tsc.tdk.com (Don Lewis) Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk On May 10, 12:05pm, Dima Ruban wrote: } Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c } Don Lewis writes: } > I'm pretty sure that's a different leak. The KKIS (unintentionally I } > think) exploits a bug in the code that implements the passing of } > descriptors across Unix domain datagram sockets. If there is a failure in } > the middle of the operation, there is an extra reference to the descriptor } > which is being passed that gets orphaned. The reason I think this exploit } > is unintentional in FreeBSD >= 3.1, is that it exploits another bug in } > older versions of FreeBSD that pretty quickly provokes a panic. The } > descriptor leak takes longer to DoS the machine. } > } > BTW, should someone prepare a patch for both bugs in 2.2.X? } } I was just gonna suggest this. We still use 2.x-stable in the production } enviroment. I don't have any way of testing this patch: Index: uipc_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.15.4.2 diff -u -u -r1.15.4.2 uipc_usrreq.c --- uipc_usrreq.c 1997/08/15 13:54:00 1.15.4.2 +++ uipc_usrreq.c 1999/05/10 19:28:06 @@ -283,6 +283,8 @@ socantsendmore(so); unp_shutdown(unp); } + if (control && error != 0) + unp_dispose(control); break; case PRU_ABORT: @@ -885,8 +887,13 @@ /* * for each FD on our hit list, do the following two things */ - for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) - sorflush((struct socket *)(*fpp)->f_data); + for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) { + struct file *tfp = *fpp; + if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL) + sorflush((struct socket *)(tfp->f_data)); + } + + for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) closef(*fpp,(struct proc*) NULL); free((caddr_t)extra_ref, M_FILE); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message