[Bug 131876] [socket] FD leak by receiving SCM_RIGHTS by recvmsg with small control message buffer
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Aug 7 16:37:21 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=131876
--- Comment #9 from commit-hook at freebsd.org ---
A commit references this bug:
Author: markj
Date: Tue Aug 7 16:36:50 UTC 2018
New revision: 337423
URL: https://svnweb.freebsd.org/changeset/base/337423
Log:
Improve handling of control message truncation.
If a recvmsg(2) or recvmmsg(2) caller doesn't provide sufficient space
for all control messages, the kernel sets MSG_CTRUNC in the message
flags to indicate truncation of the control messages. In the case
of SCM_RIGHTS messages, however, we were failing to dispose of the
rights that had already been externalized into the recipient's file
descriptor table. Add a new function and mbuf type to handle this
cleanup task, and use it any time we fail to copy control messages
out to the recipient. To simplify cleanup, control message truncation
is now only performed at control message boundaries.
The change also fixes a few related bugs:
- Rights could be leaked to the recipient process if an error occurred
while copying out a message's contents.
- We failed to set MSG_CTRUNC if the truncation occurred on a control
message boundary, e.g., if the caller received two control messages
and provided only the exact amount of buffer space needed for the
first.
PR: 131876
Reviewed by: ed (previous version)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D16561
Changes:
head/sys/compat/cloudabi/cloudabi_sock.c
head/sys/compat/freebsd32/freebsd32_misc.c
head/sys/compat/linux/linux_socket.c
head/sys/kern/uipc_syscalls.c
head/sys/kern/uipc_usrreq.c
head/sys/sys/mbuf.h
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-net
mailing list