Panic from bad length parameter in bind (Possible DOS attack)
Pawel Jakub Dawidek
pjd at FreeBSD.org
Tue Apr 6 09:35:54 PDT 2004
On Sat, Apr 03, 2004 at 02:21:08PM -0700, Ryan Sommers wrote:
+> Whenever I supply a length of 4 as the final bind parameter I get the
+> following panic. Looks like bind returns fine, however, when the program
+> exits it stumbles over some mutex associated with the descriptor. The
+> mutex passed to mtx_destroy() has MTX_RECURSED set. I attempted to find
+> where the call to bind was clobbering the mutex but couldn't. I attached
+> the simple program to exploit this. I was able to do it as a regular user.
Yes, could you try this patch:
http://people.freebsd.org/~pjd/patches/tcp_usrreq.c.patch
--
Pawel Jakub Dawidek http://www.FreeBSD.org
pjd at FreeBSD.org http://garage.freebsd.pl
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040404/887204f7/attachment.bin
More information about the freebsd-current
mailing list