diff options
author | truckman <truckman@FreeBSD.org> | 1999-05-10 18:09:39 +0000 |
---|---|---|
committer | truckman <truckman@FreeBSD.org> | 1999-05-10 18:09:39 +0000 |
commit | df85d5a50f44492d3f123eee0ac0304369471e85 (patch) | |
tree | 36730c3418fab9665679cea839e9759000454975 /sys/kern/uipc_usrreq.c | |
parent | 15ee2ac7e1808c386d8fedf7b3512e8b9d6f8c4d (diff) | |
download | FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.zip FreeBSD-src-df85d5a50f44492d3f123eee0ac0304369471e85.tar.gz |
Fix descriptor leak provoked by KKIS.05051999.003b exploit code.
unp_internalize() takes a reference to the descriptor. If the send
fails after unp_internalize(), the control mbuf would be freed ophaning
the reference.
Tested in -CURRENT by: Pierre Beyssac <beyssac@enst.fr>
Diffstat (limited to 'sys/kern/uipc_usrreq.c')
-rw-r--r-- | sys/kern/uipc_usrreq.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 52823be..2b18eb5 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * From: @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94 - * $Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $ + * $Id: uipc_usrreq.c,v 1.43 1999/04/28 11:37:07 phk Exp $ */ #include <sys/param.h> @@ -367,6 +367,9 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam, unp_shutdown(unp); } + if (control && error != 0) + unp_dispose(control); + release: if (control) m_freem(control); |