Module Name: src
Committed By: christos
Date: Sat Oct 6 22:58:09 UTC 2012
Modified Files:
src/sys/kern: uipc_usrreq.c
Log Message:
Avoid crash dereferencing a NULL fp in fd_affix() in unp_externalize
caused by the sequence of passing two fd's with two sendmsg()'s,
then doing a read() and a recvmsg(). The read() calls dom_dispose()
which discards both messages in the mbuf, and sets the fp's in the
array to NULL. Linux dequeues only one message per read() so the
second recvmsg() gets the fd from the second message. This fix
just avoids the NULL pointer de-reference, making the second
recvmsg() to fail. It is dubious to pass fd's with stream sockets
and expect mixing read() and recvmsg() to work. Plus processing
one control message per read() changes the current semantics and
should be examined before applied. In addition there is a race between
dom_externalize() and dom_dispose(): what happens in a multi-threaded
network stack when one thread disposes where the other externalizes
the same array?
NB: Pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.139 -r1.140 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_usrreq.c
diff -u src/sys/kern/uipc_usrreq.c:1.139 src/sys/kern/uipc_usrreq.c:1.140
--- src/sys/kern/uipc_usrreq.c:1.139 Mon Jul 30 06:45:03 2012
+++ src/sys/kern/uipc_usrreq.c Sat Oct 6 18:58:08 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_usrreq.c,v 1.139 2012/07/30 10:45:03 christos Exp $ */
+/* $NetBSD: uipc_usrreq.c,v 1.140 2012/10/06 22:58:08 christos Exp $ */
/*-
* Copyright (c) 1998, 2000, 2004, 2008, 2009 The NetBSD Foundation, Inc.
@@ -96,7 +96,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.139 2012/07/30 10:45:03 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_usrreq.c,v 1.140 2012/10/06 22:58:08 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -1247,29 +1247,30 @@ unp_externalize(struct mbuf *rights, str
rw_enter(&p->p_cwdi->cwdi_lock, RW_READER);
/* Make sure the recipient should be able to see the files.. */
- if (p->p_cwdi->cwdi_rdir != NULL) {
- rp = (file_t **)CMSG_DATA(cm);
- for (size_t i = 0; i < nfds; i++) {
- file_t * const fp = *rp++;
- /*
- * If we are in a chroot'ed directory, and
- * someone wants to pass us a directory, make
- * sure it's inside the subtree we're allowed
- * to access.
- */
- if (fp->f_type == DTYPE_VNODE) {
- vnode_t *vp = (vnode_t *)fp->f_data;
- if ((vp->v_type == VDIR) &&
- !vn_isunder(vp, p->p_cwdi->cwdi_rdir, l)) {
- error = EPERM;
- goto out;
- }
+ rp = (file_t **)CMSG_DATA(cm);
+ for (size_t i = 0; i < nfds; i++) {
+ file_t * const fp = *rp++;
+ if (fp == NULL) {
+ error = EINVAL;
+ goto out;
+ }
+ /*
+ * If we are in a chroot'ed directory, and
+ * someone wants to pass us a directory, make
+ * sure it's inside the subtree we're allowed
+ * to access.
+ */
+ if (p->p_cwdi->cwdi_rdir != NULL && fp->f_type == DTYPE_VNODE) {
+ vnode_t *vp = (vnode_t *)fp->f_data;
+ if ((vp->v_type == VDIR) &&
+ !vn_isunder(vp, p->p_cwdi->cwdi_rdir, l)) {
+ error = EPERM;
+ goto out;
}
}
}
restart:
- rp = (file_t **)CMSG_DATA(cm);
/*
* First loop -- allocate file descriptor table slots for the
* new files.
