Date: Tue, 21 May 2013 21:58:01 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r250890 - head/sys/kern Message-ID: <201305212158.r4LLw1Ed076595@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Tue May 21 21:58:00 2013 New Revision: 250890 URL: http://svnweb.freebsd.org/changeset/base/250890 Log: passing fd over unix socket: fix a corner case where caller wants to pass no descriptors. Previously the kernel would leak memory and try to free a potentially arbitrary pointer. Reviewed by: pjd Modified: head/sys/kern/uipc_usrreq.c Modified: head/sys/kern/uipc_usrreq.c ============================================================================== --- head/sys/kern/uipc_usrreq.c Tue May 21 21:50:11 2013 (r250889) +++ head/sys/kern/uipc_usrreq.c Tue May 21 21:58:00 2013 (r250890) @@ -1686,6 +1686,8 @@ unp_freerights(struct filedescent **fdep struct file *fp; int i; + if (fdcount == 0) + return; for (i = 0; i < fdcount; i++) { fp = fdep[i]->fde_file; filecaps_free(&fdep[i]->fde_caps); @@ -1768,7 +1770,8 @@ unp_externalize(struct mbuf *control, st unp_externalize_fp(fde->fde_file); } FILEDESC_XUNLOCK(fdesc); - free(fdep[0], M_FILECAPS); + if (newfds != 0) + free(fdep[0], M_FILECAPS); } else { /* We can just copy anything else across. */ if (error || controlp == NULL) @@ -1925,6 +1928,10 @@ unp_internalize(struct mbuf **controlp, error = E2BIG; goto out; } + if (oldfds == 0) { + FILEDESC_SUNLOCK(fdesc); + break; + } fdp = data; fdep = (struct filedescent **) CMSG_DATA(mtod(*controlp, struct cmsghdr *));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305212158.r4LLw1Ed076595>