Date: Mon, 12 Mar 2001 13:24:21 +0200 (EET) From: unicorn@Forest.Od.UA To: FreeBSD-gnats-submit@freebsd.org Subject: kern/25732: Patch against crash caused by operations with half-binded sockets. Message-ID: <200103121124.f2CBOLZ99380@Unicorn.Forest.Od.UA>
next in thread | raw e-mail | index | archive | help
>Number: 25732 >Category: kern >Synopsis: Patch against crash caused by operations with half-binded sockets. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Mar 12 03:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Winged Unicorn >Release: FreeBSD 5.0-CURRENT i386 >Organization: Valhala >Environment: System: FreeBSD Unicorn.Forest.Od.UA 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Feb 21 20:56:33 EET 2001 root@Unicorn.Forest.Od.UA:/usr/src/sys/compile/FOREST i386 Working jail environment with NIS/YP installed. >Description: If bind() call fails to allocate port due `prison_ip' permission failure, socket left in half-binded state (bind returns an error, but doesn't undo socket state (in case of failure bind should left inp_laddr.s_addr == INADDR_ANY && inp_lport == 0, indicating, that socket is NOT yet binded)). In upper case `bind' aborted, left in binded state, but doesn't inserted in hashlists (in_pcbinshash). Any operations with such sockets will cause dereferencing of hash pointers and lead to crash. >How-To-Repeat: In jail with NIS/YP environment type `id some_nis_user'. >Fix: `cvs diff in_pcb.c' follows: Index: in_pcb.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v retrieving revision 1.81 diff -r1.81 in_pcb.c 275c275,281 < if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr )) --- > if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr )) { > /* > * Undo any address bind that may have > * occurred above. > */ > inp->inp_laddr.s_addr = INADDR_ANY; > 276a283 > } 284c291,296 < if (p && (error = suser_xxx(0, p, PRISON_ROOT))) --- > if (p && (error = suser_xxx(0, p, PRISON_ROOT))) { > /* > * Undo any address bind that may have > * occurred above. > */ > inp->inp_laddr.s_addr = INADDR_ANY; 285a298 > } 309,312d321 < /* < * Undo any address bind that may have < * occurred above. < */ 346,347c355,361 < if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr)) < return(EINVAL); --- > > if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr)) { > inp->inp_laddr.s_addr = INADDR_ANY; > inp->inp_lport = 0; > return (EINVAL); > } > >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103121124.f2CBOLZ99380>