Panic from bad length parameter in bind (Possible DOS attack)
Ryan Sommers
ryans at gamersimpact.com
Sun Apr 4 12:59:32 PDT 2004
Pawel Jakub Dawidek said:
> On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote:
> +> Whenever I supply a length of 4 as the final bind parameter I get the
> +> following panic. Looks like bind returns fine, however, when the
> program
> +> exits it stumbles over some mutex associated with the descriptor. The
> +> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find
> +> where the call to bind was clobbering the mutex but couldn't. I
> attached
> +> the simple program to exploit this. I was able to do it as a regular
> user.
>
> Yes, could you try this patch:
>
> http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch
That fixes it.
>
> --
> Pawel Jakub Dawidek http://www.FreeBSD.org
> pjd at FreeBSD.org http://garage.freebsd.pl
> FreeBSD committer Am I Evil? Yes, I Am!
>
--
Ryan Sommers
ryans at gamersimpact.com
More information about the freebsd-current
mailing list