Date: Thu, 28 Nov 1996 11:10:01 -0800 (PST) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: freebsd-bugs Subject: Re: kern/2114: recv() with MSG_PEEK and NULL pointer wedges system Message-ID: <199611281910.LAA08918@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/2114; it has been noted by GNATS.
From: Bill Paul <wpaul@skynet.ctr.columbia.edu>
To: bde@zeta.org.au (Bruce Evans)
Cc: FreeBSD-gnats-submit@freebsd.org, current@freebsd.org
Subject: Re: kern/2114: recv() with MSG_PEEK and NULL pointer wedges system
Date: Thu, 28 Nov 1996 14:03:29 -0500 (EST)
Of all the gin joints in all the towns in all the world, Bruce Evans had
to walk into mine and say:
> > The test program that freezes my system has also been
> > reported to have the same effect on a machine of 2.2-RELENG
> > vintage.
>
> One of the uiomove()s in soreceive() returns EFAULT and doesn't
> make any progress. The return code is not checked. This should
> be easy to fix.
>
> Bruce
Oh, I see: you want _me_ to fix it. My, you are a trusting soul,
aren't you. :)
If my limited understanding of the problem is correct, then what's
happening is that the failing uiomove() is happening inside a while()
loop, and before control returns to the top of the loop where the
error would be noticed, it gets stuck in another loop which never
terminates due to the uiomove() failure.
Well, the obvious fix would seem to be this:
*** uipc_socket.c.orig Thu Nov 28 13:15:11 1996
--- uipc_socket.c Thu Nov 28 13:05:37 1996
***************
*** 702,707 ****
--- 702,709 ----
splx(s);
error = uiomove(mtod(m, caddr_t) + moff, (int)len, uio);
s = splnet();
+ if (error)
+ goto release;
} else
uio->uio_resid -= len;
if (len == m->m_len - moff) {
I'm not 100% sure this is the _correct_ fix however: there are a lot
of mbufs being slung about, and it's hard to tell if this does the right
thing without accidentally causing a leak somewhere.
In any case, this does fix the immediate problem: with this patch in
place, my sample program gets back an EFAULT rather than freezing the
system.
Note that OpenBSD and NetBSD may well be subject to the same bug since
this code comes direct from 4.4BSD-Lite.
-Bill
--
=============================================================================
-Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work:
wpaul@ctr.columbia.edu | Center for Telecommunications Research Home:
wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
"If you're ever in trouble, go to the CTR. Ask for Bill. He will help you."
=============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611281910.LAA08918>