2.9 BSD socket() syscall bug (and fix)
David L. Stevens
dls at j.cc.purdue.edu
Thu Oct 16 12:36:08 AEST 1986
Index: /usr/src/sys/sys/ipc.c 2.9BSD (with ISR mods)
Description:
When creating a socket, the syscall can leave a file structure
that claims to be a socket, but has no socket structure pointer
in f_socket. This results in a bus error when the file is closed,
from within a program or on exit.
Repeat-By:
Call socket() with a protocol that isn't supported; when there
are no mbufs available; or any time when socreate() will fail.
Then fork() and exit. This will result in a kernel mode bus error
and a panic().
Fix:
The problem is that socket() tries to get rid of the file reference
by setting the reference count to 0. A fork will increment this
and then there is an unusable file structure that will be closed
on exit. Since the FSOCKET bit is set, soclose() will be called
and it blindly tries to dereference f_socket.
The fix is to simply not mark the file structure as a
socket unless socreate() succeeds. The reference count trick
works fine as long as soclose() isn't called.
*** BROKEN /usr/src/sys/sys/ipc.c Wed Oct 15 21:09:00 1986
--- FIXED /usr/src/sys/sys/ipc.c Tue Oct 14 14:01:49 1986
***************
*** 100,106
}
if ((fp = falloc()) == NULL)
return;
! fp->f_flag = FSOCKET|FREAD|FWRITE;
if (uap->asp && copyin((caddr_t)uap->asp, (caddr_t)&sp, sizeof (sp)) ||
uap->asa && copyin((caddr_t)uap->asa, (caddr_t)&sa, sizeof (sa))) {
u.u_error = EFAULT;
--- 100,106 -----
}
if ((fp = falloc()) == NULL)
return;
! fp->f_flag = FREAD|FWRITE;
if (uap->asp && copyin((caddr_t)uap->asp, (caddr_t)&sp, sizeof (sp)) ||
uap->asa && copyin((caddr_t)uap->asa, (caddr_t)&sa, sizeof (sa))) {
u.u_error = EFAULT;
***************
*** 110,115
uap->asp ? &sp : 0, uap->asa ? &sa : 0, uap->options);
if (u.u_error)
goto bad;
fp->f_socket = so;
return;
bad:
--- 110,116 -----
uap->asp ? &sp : 0, uap->asa ? &sa : 0, uap->options);
if (u.u_error)
goto bad;
+ fp->f_flag |= FSOCKET;
fp->f_socket = so;
return;
bad:
--
+-DLS (dls at j.cc.purdue.edu)
More information about the Comp.bugs.2bsd
mailing list