diff options
author | glebius <glebius@FreeBSD.org> | 2013-06-04 11:19:08 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2013-06-04 11:19:08 +0000 |
commit | 1bf8d856bdc4c23067ff41e0696bd3b08c0fb454 (patch) | |
tree | 86b2a31dadfcea79a07e16b55e19e883ba749318 /sys/kern/uipc_usrreq.c | |
parent | 36c9d501f00fc519e9198041f481d3f9568f32e6 (diff) | |
download | FreeBSD-src-1bf8d856bdc4c23067ff41e0696bd3b08c0fb454.zip FreeBSD-src-1bf8d856bdc4c23067ff41e0696bd3b08c0fb454.tar.gz |
Improve r250890, so that we stop processing of a message with zero
descriptors as early as possible, and assert that number of descriptors
is positive in unp_freerights().
Reviewed by: mjg, pjd, jilles
Diffstat (limited to 'sys/kern/uipc_usrreq.c')
-rw-r--r-- | sys/kern/uipc_usrreq.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 0961e6c..5d8e814 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1686,8 +1686,8 @@ unp_freerights(struct filedescent **fdep, int fdcount) struct file *fp; int i; - if (fdcount == 0) - return; + KASSERT(fdcount > 0, ("%s: fdcount %d", __func__, fdcount)); + for (i = 0; i < fdcount; i++) { fp = fdep[i]->fde_file; filecaps_free(&fdep[i]->fde_caps); @@ -1725,6 +1725,8 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS) { newfds = datalen / sizeof(*fdep); + if (newfds == 0) + goto next; fdep = data; /* If we're not outputting the descriptors free them. */ @@ -1770,8 +1772,7 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) unp_externalize_fp(fde->fde_file); } FILEDESC_XUNLOCK(fdesc); - if (newfds != 0) - free(fdep[0], M_FILECAPS); + free(fdep[0], M_FILECAPS); } else { /* We can just copy anything else across. */ if (error || controlp == NULL) @@ -1894,6 +1895,8 @@ unp_internalize(struct mbuf **controlp, struct thread *td) case SCM_RIGHTS: oldfds = datalen / sizeof (int); + if (oldfds == 0) + break; /* * Check that all the FDs passed in refer to legal * files. If not, reject the entire operation. @@ -1928,10 +1931,6 @@ unp_internalize(struct mbuf **controlp, struct thread *td) error = E2BIG; goto out; } - if (oldfds == 0) { - FILEDESC_SUNLOCK(fdesc); - break; - } fdp = data; fdep = (struct filedescent **) CMSG_DATA(mtod(*controlp, struct cmsghdr *)); |