Subject: accept(2) with bad name parameter.
To: None <tech-net@netbsd.org>
From: Sean Boudreau <seanb@qnx.com>
List: tech-net
Date: 08/16/2006 14:41:16
Hi:
If accept(2) is called with a bad name parameter
and the copyout() fails, the file pointer is cleaned
up but the associated socket is left dangling.
This can leave sockets in CLOSE_WAIT that can
never be closed. The same could happen with
the anamelen parameter: it's verified up front
via copyin() but I guess it could be unmapped
during the tsleep().
Here's a diff. Any comments before I commit?
Regards,
-seanb
Index: kern/uipc_syscalls.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_syscalls.c,v
retrieving revision 1.101
diff -c -r1.101 uipc_syscalls.c
*** kern/uipc_syscalls.c 23 Jul 2006 22:06:11 -0000 1.101
--- kern/uipc_syscalls.c 16 Aug 2006 18:25:18 -0000
***************
*** 240,249 ****
namelen = nam->m_len;
/* SHOULD COPY OUT A CHAIN HERE */
if ((error = copyout(mtod(nam, caddr_t),
! (caddr_t)SCARG(uap, name), namelen)) == 0)
! error = copyout((caddr_t)&namelen,
! (caddr_t)SCARG(uap, anamelen),
! sizeof(*SCARG(uap, anamelen)));
}
/* if an error occurred, free the file descriptor */
if (error) {
--- 240,251 ----
namelen = nam->m_len;
/* SHOULD COPY OUT A CHAIN HERE */
if ((error = copyout(mtod(nam, caddr_t),
! (caddr_t)SCARG(uap, name), namelen)) != 0 ||
! (error = copyout((caddr_t)&namelen,
! (caddr_t)SCARG(uap, anamelen),
! sizeof(*SCARG(uap, anamelen)))) != 0) {
! soclose(so);
! }
}
/* if an error occurred, free the file descriptor */
if (error) {