Date: Mon, 22 Jul 2019 19:25:06 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r350222 - stable/12/sys/kern Message-ID: <201907221925.x6MJP6AR093411@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Mon Jul 22 19:25:05 2019 New Revision: 350222 URL: https://svnweb.freebsd.org/changeset/base/350222 Log: MFC r350156: Fix leak of memory and file refs with sendmsg(2) over unix domain sockets. Approved by: so (insta-MFC) Modified: stable/12/sys/kern/uipc_usrreq.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/kern/uipc_usrreq.c ============================================================================== --- stable/12/sys/kern/uipc_usrreq.c Mon Jul 22 18:54:26 2019 (r350221) +++ stable/12/sys/kern/uipc_usrreq.c Mon Jul 22 19:25:05 2019 (r350222) @@ -2120,30 +2120,53 @@ unp_init(void) UNP_DEFERRED_LOCK_INIT(); } +static void +unp_internalize_cleanup_rights(struct mbuf *control) +{ + struct cmsghdr *cp; + struct mbuf *m; + void *data; + socklen_t datalen; + + for (m = control; m != NULL; m = m->m_next) { + cp = mtod(m, struct cmsghdr *); + if (cp->cmsg_level != SOL_SOCKET || + cp->cmsg_type != SCM_RIGHTS) + continue; + data = CMSG_DATA(cp); + datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data; + unp_freerights(data, datalen / sizeof(struct filedesc *)); + } +} + static int unp_internalize(struct mbuf **controlp, struct thread *td) { - struct mbuf *control = *controlp; - struct proc *p = td->td_proc; - struct filedesc *fdesc = p->p_fd; + struct mbuf *control, **initial_controlp; + struct proc *p; + struct filedesc *fdesc; struct bintime *bt; - struct cmsghdr *cm = mtod(control, struct cmsghdr *); + struct cmsghdr *cm; struct cmsgcred *cmcred; struct filedescent *fde, **fdep, *fdev; struct file *fp; struct timeval *tv; struct timespec *ts; - int i, *fdp; void *data; - socklen_t clen = control->m_len, datalen; - int error, oldfds; + socklen_t clen, datalen; + int i, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + p = td->td_proc; + fdesc = p->p_fd; error = 0; + control = *controlp; + clen = control->m_len; *controlp = NULL; - while (cm != NULL) { + initial_controlp = controlp; + for (cm = mtod(control, struct cmsghdr *); cm != NULL;) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; @@ -2294,6 +2317,8 @@ unp_internalize(struct mbuf **controlp, struct thread } out: + if (error != 0 && initial_controlp != NULL) + unp_internalize_cleanup_rights(*initial_controlp); m_freem(control); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907221925.x6MJP6AR093411>