From owner-freebsd-current@FreeBSD.ORG Sun Apr 4 12:59:32 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77DF916A4CF for ; Sun, 4 Apr 2004 12:59:32 -0700 (PDT) Received: from mailserv1.neuroflux.com (mailserv1.neuroflux.com [204.228.228.92]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECEA843D5E for ; Sun, 4 Apr 2004 12:59:31 -0700 (PDT) (envelope-from ryans@gamersimpact.com) Received: (qmail 11980 invoked by uid 89); 4 Apr 2004 19:59:34 -0000 Received: from unknown (HELO www2.neuroflux.com) (127.0.0.1) by localhost with SMTP; 4 Apr 2004 19:59:34 -0000 Received: from 65.103.5.228 (SquirrelMail authenticated user ryans@gamersimpact.com) by www2.neuroflux.com with HTTP; Sun, 4 Apr 2004 13:59:34 -0600 (MDT) Message-ID: <49162.65.103.5.228.1081108774.squirrel@www2.neuroflux.com> In-Reply-To: <20040403223230.GC613@darkness.comp.waw.pl> References: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com> <20040403223230.GC613@darkness.comp.waw.pl> Date: Sun, 4 Apr 2004 13:59:34 -0600 (MDT) From: "Ryan Sommers" To: "Pawel Jakub Dawidek" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: current@freebsd.org Subject: Re: Panic from bad length parameter in bind (Possible DOS attack) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 19:59:32 -0000 Pawel Jakub Dawidek said: > On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote: > +> Whenever I supply a length of 4 as the final bind parameter I get the > +> following panic. Looks like bind returns fine, however, when the > program > +> exits it stumbles over some mutex associated with the descriptor. The > +> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find > +> where the call to bind was clobbering the mutex but couldn't. I > attached > +> the simple program to exploit this. I was able to do it as a regular > user. > > Yes, could you try this patch: > > http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch That fixes it. > > -- > Pawel Jakub Dawidek http://www.FreeBSD.org > pjd@FreeBSD.org http://garage.freebsd.pl > FreeBSD committer Am I Evil? Yes, I Am! > -- Ryan Sommers ryans@gamersimpact.com