Fix descriptor leak provoked by KKIS.05051999.003b exploit code.

unp_internalize() takes a reference to the descriptor. If the send fails after unp_internalize(), the control mbuf would be freed ophaning the reference. Tested in -CURRENT by: Pierre Beyssac <beyssac@enst.fr>
author: truckman <truckman@FreeBSD.org> 1999-05-10 18:09:39 +0000
committer: truckman <truckman@FreeBSD.org> 1999-05-10 18:09:39 +0000
commit: df85d5a50f44492d3f123eee0ac0304369471e85 (patch)
tree: 36730c3418fab9665679cea839e9759000454975 /sys/kern/uipc_usrreq.c
parent: 15ee2ac7e1808c386d8fedf7b3512e8b9d6f8c4d (diff)
download: FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.zip
FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 52823be..2b18eb5 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	From: @(#)uipc_usrreq.c	8.3 (Berkeley) 1/4/94
- *	$Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $
+ *	$Id: uipc_usrreq.c,v 1.43 1999/04/28 11:37:07 phk Exp $
  */
 
 #include <sys/param.h>
@@ -367,6 +367,9 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
 		unp_shutdown(unp);
 	}
 
+	if (control && error != 0)
+		unp_dispose(control);
+
 release:
 	if (control)
 		m_freem(control);
author	truckman <truckman@FreeBSD.org>	1999-05-10 18:09:39 +0000
committer	truckman <truckman@FreeBSD.org>	1999-05-10 18:09:39 +0000
commit	df85d5a50f44492d3f123eee0ac0304369471e85 (patch)
tree	36730c3418fab9665679cea839e9759000454975 /sys/kern/uipc_usrreq.c
parent	15ee2ac7e1808c386d8fedf7b3512e8b9d6f8c4d (diff)
download	FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.zip FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.tar.gz