Date: Sun, 4 Apr 2004 13:59:34 -0600 (MDT) From: "Ryan Sommers" <ryans@gamersimpact.com> To: "Pawel Jakub Dawidek" <pjd@FreeBSD.org> Cc: current@freebsd.org Subject: Re: Panic from bad length parameter in bind (Possible DOS attack) Message-ID: <49162.65.103.5.228.1081108774.squirrel@www2.neuroflux.com> In-Reply-To: <20040403223230.GC613@darkness.comp.waw.pl> References: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> <20040403223230.GC613@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek said: > On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote: > +> Whenever I supply a length of 4 as the final bind parameter I get the > +> following panic. Looks like bind returns fine, however, when the > program > +> exits it stumbles over some mutex associated with the descriptor. The > +> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find > +> where the call to bind was clobbering the mutex but couldn't. I > attached > +> the simple program to exploit this. I was able to do it as a regular > user. > > Yes, could you try this patch: > > http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch That fixes it. > > -- > Pawel Jakub Dawidek http://www.FreeBSD.org > pjd@FreeBSD.org http://garage.freebsd.pl > FreeBSD committer Am I Evil? Yes, I Am! > -- Ryan Sommers ryans@gamersimpact.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49162.65.103.5.228.1081108774.squirrel>