From owner-freebsd-bugs  Fri May 24  5:30:17 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BFC6437B40C
	for <freebsd-bugs@hub.freebsd.org>; Fri, 24 May 2002 05:30:03 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g4OCU3t70624;
	Fri, 24 May 2002 05:30:03 -0700 (PDT)
	(envelope-from gnats)
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 912D337B404
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 May 2002 05:27:34 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g4OCRYhG000189
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 May 2002 05:27:34 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g4OCRYwD000188;
	Fri, 24 May 2002 05:27:34 -0700 (PDT)
Message-Id: <200205241227.g4OCRYwD000188@www.freebsd.org>
Date: Fri, 24 May 2002 05:27:34 -0700 (PDT)
From: Greg Troxel <gdt@ir.bbn.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/38495: soreceive fails to maintain invariant on UDP sockets if uiomove fails
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         38495
>Category:       kern
>Synopsis:       soreceive fails to maintain invariant on UDP sockets if uiomove fails
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 24 05:30:03 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Greg Troxel
>Release:        RELENG_4 as of 20020523 or so
>Organization:
BBN Technologies
>Environment:
>Description:
Problem observed on NetBSD, and on inspection, FreeBSD has the same
code and the same problem.  Kernel will likely hit KASSERT at
sys/kern/uipc_socket.c line 774 if uiomove fails on recvfrom on a UDP
socket.
See NetBSD PR bin/16990, at
http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=16990
>How-To-Repeat:
See NetBSD PR.
Basically, call recvfrom with a NULL pointer to data, and then call it
again.
>Fix:
Merge patch from NetBSD PR.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message