From owner-freebsd-current@FreeBSD.ORG  Sun Apr  4 12:59:32 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 77DF916A4CF
	for <current@freebsd.org>; Sun,  4 Apr 2004 12:59:32 -0700 (PDT)
Received: from mailserv1.neuroflux.com (mailserv1.neuroflux.com
	[204.228.228.92])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ECEA843D5E
	for <current@freebsd.org>; Sun,  4 Apr 2004 12:59:31 -0700 (PDT)
	(envelope-from ryans@gamersimpact.com)
Received: (qmail 11980 invoked by uid 89); 4 Apr 2004 19:59:34 -0000
Received: from unknown (HELO www2.neuroflux.com) (127.0.0.1)
  by localhost with SMTP; 4 Apr 2004 19:59:34 -0000
Received: from 65.103.5.228
        (SquirrelMail authenticated user ryans@gamersimpact.com)
        by www2.neuroflux.com with HTTP;
        Sun, 4 Apr 2004 13:59:34 -0600 (MDT)
Message-ID: <49162.65.103.5.228.1081108774.squirrel@www2.neuroflux.com>
In-Reply-To: <20040403223230.GC613@darkness.comp.waw.pl>
References: <49165.65.103.5.228.1081027268.squirrel@www2.neuroflux.com>
    <20040403223230.GC613@darkness.comp.waw.pl>
Date: Sun, 4 Apr 2004 13:59:34 -0600 (MDT)
From: "Ryan Sommers" <ryans@gamersimpact.com>
To: "Pawel Jakub Dawidek" <pjd@FreeBSD.org>
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
cc: current@freebsd.org
Subject: Re: Panic from bad length parameter in bind (Possible DOS attack)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2004 19:59:32 -0000


Pawel Jakub Dawidek said:
> On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote:
> +> Whenever I supply a length of 4 as the final bind parameter I get the
> +> following panic. Looks like bind returns fine, however, when the
> program
> +> exits it stumbles over some mutex associated with the descriptor. The
> +> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find
> +> where the call to bind was clobbering the mutex but couldn't. I
> attached
> +> the simple program to exploit this. I was able to do it as a regular
> user.
>
> Yes, could you try this patch:
>
> 	http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch

That fixes it.

>
> --
> Pawel Jakub Dawidek                       http://www.FreeBSD.org
> pjd@FreeBSD.org                           http://garage.freebsd.pl
> FreeBSD committer                         Am I Evil? Yes, I Am!
>

--
Ryan Sommers
ryans@gamersimpact.com