Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 May 1999 12:30:24 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        dima@best.net, Don.Lewis@tsc.tdk.com (Don Lewis)
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/kern uipc_usrreq.c
Message-ID:  <199905101930.MAA24633@salsa.gv.tsc.tdk.com>
In-Reply-To: dima@best.net (Dima Ruban) "Re: cvs commit: src/sys/kern uipc_usrreq.c" (May 10, 12:05pm)
next in thread | raw e-mail | index | archive | help 
On May 10, 12:05pm, Dima Ruban wrote:
} Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c
} Don Lewis writes:
} > I'm pretty sure that's a different leak.  The KKIS (unintentionally I
} > think) exploits a bug in the code that implements the passing of
} > descriptors across Unix domain datagram sockets.  If there is a failure in
} > the middle of the operation, there is an extra reference to the descriptor
} > which is being passed that gets orphaned.  The reason I think this exploit
} > is unintentional in FreeBSD >= 3.1, is that it exploits another bug in
} > older versions of FreeBSD that pretty quickly provokes a panic.  The
} > descriptor leak takes longer to DoS the machine.
} > 
} > BTW, should someone prepare a patch for both bugs in 2.2.X?
} 
} I was just gonna suggest this. We still use 2.x-stable in the production
} enviroment.

I don't have any way of testing this patch:

Index: uipc_usrreq.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.15.4.2
diff -u -u -r1.15.4.2 uipc_usrreq.c
--- uipc_usrreq.c	1997/08/15 13:54:00	1.15.4.2
+++ uipc_usrreq.c	1999/05/10 19:28:06
@@ -283,6 +283,8 @@
 			socantsendmore(so);
 			unp_shutdown(unp);
 		}
+		if (control && error != 0)
+			unp_dispose(control);
 		break;
 
 	case PRU_ABORT:
@@ -885,8 +887,13 @@
 	/* 
 	 * for each FD on our hit list, do the following two things
 	 */
-	for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
-		sorflush((struct socket *)(*fpp)->f_data);
+	for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) {
+		struct file *tfp = *fpp;
+		if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL)
+			sorflush((struct socket *)(tfp->f_data));
+	}
+
+
 	for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
 		closef(*fpp,(struct proc*) NULL);
 	free((caddr_t)extra_ref, M_FILE);


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905101930.MAA24633>