Module Name: src
Committed By: riz
Date: Tue Oct 9 23:45:21 UTC 2012
Modified Files:
src/sys/kern [netbsd-6]: uipc_usrreq.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #593):
sys/kern/uipc_usrreq.c: revision 1.140
Avoid crash dereferencing a NULL fp in fd_affix() in unp_externalize
caused by the sequence of passing two fd's with two sendmsg()'s,
then doing a read() and a recvmsg(). The read() calls dom_dispose()
which discards both messages in the mbuf, and sets the fp's in the
array to NULL. Linux dequeues only one message per read() so the
second recvmsg() gets the fd from the second message. This fix
just avoids the NULL pointer de-reference, making the second
recvmsg() to fail. It is dubious to pass fd's with stream sockets
and expect mixing read() and recvmsg() to work. Plus processing
one control message per read() changes the current semantics and
should be examined before applied. In addition there is a race between
dom_externalize() and dom_dispose(): what happens in a multi-threaded
network stack when one thread disposes where the other externalizes
the same array?
NB: Pullup to 6.
To generate a diff of this commit:
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/kern/uipc_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
