Author: mjg
Date: Tue May 21 21:58:00 2013
New Revision: 250890
URL: http://svnweb.freebsd.org/changeset/base/250890
Log:
passing fd over unix socket: fix a corner case where caller
wants to pass no descriptors.
Previously the kernel would leak memory and try to free a potentially
arbitrary pointer.
Reviewed by: pjd
Modified:
head/sys/kern/uipc_usrreq.c
Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c Tue May 21 21:50:11 2013 (r250889)
+++ head/sys/kern/uipc_usrreq.c Tue May 21 21:58:00 2013 (r250890)
@@ -1686,6 +1686,8 @@ unp_freerights(struct filedescent **fdep
struct file *fp;
int i;
+ if (fdcount == 0)
+ return;
for (i = 0; i < fdcount; i++) {
fp = fdep[i]->fde_file;
filecaps_free(&fdep[i]->fde_caps);
@@ -1768,7 +1770,8 @@ unp_externalize(struct mbuf *control, st
unp_externalize_fp(fde->fde_file);
}
FILEDESC_XUNLOCK(fdesc);
- free(fdep[0], M_FILECAPS);
+ if (newfds != 0)
+ free(fdep[0], M_FILECAPS);
} else {
/* We can just copy anything else across. */
if (error || controlp == NULL)
@@ -1925,6 +1928,10 @@ unp_internalize(struct mbuf **controlp,
error = E2BIG;
goto out;
}
+ if (oldfds == 0) {
+ FILEDESC_SUNLOCK(fdesc);
+ break;
+ }
fdp = data;
fdep = (struct filedescent **)
CMSG_DATA(mtod(*controlp, struct cmsghdr *));
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
