Date: Mon, 10 May 1999 12:30:24 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: dima@best.net, Don.Lewis@tsc.tdk.com (Don Lewis) Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c Message-ID: <199905101930.MAA24633@salsa.gv.tsc.tdk.com> In-Reply-To: dima@best.net (Dima Ruban) "Re: cvs commit: src/sys/kern uipc_usrreq.c" (May 10, 12:05pm)
next in thread | raw e-mail | index | archive | help
On May 10, 12:05pm, Dima Ruban wrote: } Subject: Re: cvs commit: src/sys/kern uipc_usrreq.c } Don Lewis writes: } > I'm pretty sure that's a different leak. The KKIS (unintentionally I } > think) exploits a bug in the code that implements the passing of } > descriptors across Unix domain datagram sockets. If there is a failure in } > the middle of the operation, there is an extra reference to the descriptor } > which is being passed that gets orphaned. The reason I think this exploit } > is unintentional in FreeBSD >= 3.1, is that it exploits another bug in } > older versions of FreeBSD that pretty quickly provokes a panic. The } > descriptor leak takes longer to DoS the machine. } > } > BTW, should someone prepare a patch for both bugs in 2.2.X? } } I was just gonna suggest this. We still use 2.x-stable in the production } enviroment. I don't have any way of testing this patch: Index: uipc_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.15.4.2 diff -u -u -r1.15.4.2 uipc_usrreq.c --- uipc_usrreq.c 1997/08/15 13:54:00 1.15.4.2 +++ uipc_usrreq.c 1999/05/10 19:28:06 @@ -283,6 +283,8 @@ socantsendmore(so); unp_shutdown(unp); } + if (control && error != 0) + unp_dispose(control); break; case PRU_ABORT: @@ -885,8 +887,13 @@ /* * for each FD on our hit list, do the following two things */ - for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) - sorflush((struct socket *)(*fpp)->f_data); + for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) { + struct file *tfp = *fpp; + if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL) + sorflush((struct socket *)(tfp->f_data)); + } + + for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) closef(*fpp,(struct proc*) NULL); free((caddr_t)extra_ref, M_FILE); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905101930.MAA24633>