Subject: Re: kern/32842: SCM_RIGHTS can leak file descriptor resources
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 07/27/2006 00:35:02
The following reply was made to PR kern/32842; it has been noted by GNATS.
From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/32842: SCM_RIGHTS can leak file descriptor resources
Date: Thu, 27 Jul 2006 02:38:19 +0200
Christian Biere wrote:
> >Synopsis: SCM_RIGHTS can leak file descriptor resources
> When passing a file descriptor of a socket using SCM_RIGHTS over a
> unix domain socket (i.e., AF_LOCAL, SOCK_DGRAM) to a non-existing
> socket sendmsg() fails with errno = ENOENT. Even though the sent file
> descriptor is unconditionally closed after sendmsg(), the associated
> socket is never released, not even after terminating the sending
> process and removing its unix domain socket.
The following patch seems to fix this leak. I found the hint
leading to this patch in an archived FreeBSD mailing list
discussion from 1999:
http://groups.google.com/group/muc.lists.freebsd.security/browse_thread/thread/6273768d4d8bfc6c/00db9d3ac832084b?lnk=st&q=&rnum=1
The patch might be incomplete but I cannot reproduce the leak
using my provided test case with this patch applied anymore.
Index: uipc_usrreq.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_usrreq.c,v
retrieving revision 1.92
diff -u -r1.92 uipc_usrreq.c
--- uipc_usrreq.c 23 Jul 2006 22:06:12 -0000 1.92
+++ uipc_usrreq.c 27 Jul 2006 00:22:41 -0000
@@ -326,6 +326,7 @@
error = unp_connect(so, nam, l);
if (error) {
die:
+ unp_dispose(control);
m_freem(control);
m_freem(m);
break;
--
Christian