On Mon, Apr 12, 2004 at 02:30:38AM -0400, der Mouse wrote:
> I'm building some code that uses SCM_RIGHTS file-descriptor passing.
> I've run into a problem, though, and I'm wondering what the correct
> approach is.
> 
> Most basically, the problem is that once unp_externalize has been
> called for a message, the process has the descriptors - but if the
> control buffer is too small, the process won't find out the file
> descriptor numbers of all of them.
> 
> This makes it difficult to build protocols involving fd passing which
> must withstand potentially malicious clients, since a malicious sender
> can dump an effectively unlimited number of extra file descriptors into
> the receiver's open file table, and the victim has no easy way to tell
> which oens they are or even how many of them there are.  (It's not
> quite impossible; with the help of another process such an attack can
> at least be withstood, but I haven't found a way that costs less than
> one fork per malicious send.)

I think this is a bug.  I am rather perplexed as to what a simple, clean
way to fix it would be -- if there is one.

Thor