NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/40570

The following reply was made to PR kern/40570; it has been noted by GNATS.

From: Antti Kantee <>
Subject: Re: kern/40570
Date: Sat, 7 Feb 2009 14:55:31 +0200

 Two issues: first of all, mount_puffsportal does not use the portalfs
 in any way, so I think we could drop "portalfs" from the synopsis.
 Second, I believe this is a panic common to all userland programs doing
 file descriptor passing.  I suggest changing the synopsis to e.g. "file
 descriptor passing = panic" ... and am in fact doing so.
 As this is a (potential) local DoS, I think it's a priority for 5.0.
 The application code which corresponds to the kernel stack trace is:
 static int
 sendfd(int s, int fd, int error)
         struct cmsghdr *cmp;
         struct msghdr msg;
         struct iovec iov;
         ssize_t n;
         int rv;
         rv = 0;
         cmp = emalloc(CMSG_LEN(sizeof(int)));
         iov.iov_base = &error;
         iov.iov_len = sizeof(int);
         cmp->cmsg_level = SOL_SOCKET;
         cmp->cmsg_type = SCM_RIGHTS;
         cmp->cmsg_len = CMSG_LEN(sizeof(int));
         msg.msg_iov = &iov;
         msg.msg_iovlen = 1;
         msg.msg_name = NULL;
         msg.msg_namelen = 0;
         msg.msg_control = cmp;
         msg.msg_controllen = CMSG_LEN(sizeof(int));
         *(int *)CMSG_DATA(cmp) = fd;
         n = sendmsg(s, &msg, 0);
         if (n == -1)
                 rv = errno;
         else if (n < sizeof(int))
                 rv = EPROTO;
         return rv;

Home | Main Index | Thread Index | Old Index