Date: Thu, 17 Jul 2003 16:49:10 -0700 (PDT) From: Robert Drehmel <robert@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/sys socketvar.h src/sys/kern uipc_socket.c Message-ID: <200307172349.h6HNnBRK053938@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
robert 2003/07/17 16:49:10 PDT
FreeBSD src repository
Modified files:
sys/sys socketvar.h
sys/kern uipc_socket.c
Log:
To avoid a kernel panic provoked by a NULL pointer dereference,
do not clear the `sb_sel' member of the sockbuf structure
while invalidating the receive sockbuf in sorflush(), called
from soshutdown().
The panic was reproduceable from user land by attaching a knote
with EVFILT_READ filters to a socket, disabling further reads
from it using shutdown(2), and then closing it. knote_remove()
was called to remove all knotes from the socket file descriptor
by detaching each using its associated filterops' detach call-
back function, sordetach() in this case, which tried to remove
itself from the invalidated sockbuf's klist (sb_sel.si_note).
PR: kern/54331
Revision Changes Path
1.153 +7 -1 src/sys/kern/uipc_socket.c
1.104 +1 -0 src/sys/sys/socketvar.h
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307172349.h6HNnBRK053938>