passing fd over unix socket: fix a corner case where caller

wants to pass no descriptors. Previously the kernel would leak memory and try to free a potentially arbitrary pointer. Reviewed by: pjd
2013-05-21 21:58:00 +00:00 · 2013-05-21 21:58:00 +00:00 · ecbb2a1819
commit ecbb2a1819
parent 553f17daf9
1 changed files with 8 additions and 1 deletions
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -1686,6 +1686,8 @@ unp_freerights(struct filedescent **fdep, int fdcount)
 	struct file *fp;
 	int i;

+	if (fdcount == 0)
+		return;
 	for (i = 0; i < fdcount; i++) {
 		fp = fdep[i]->fde_file;
 		filecaps_free(&fdep[i]->fde_caps);
@ -1768,7 +1770,8 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
 				unp_externalize_fp(fde->fde_file);
 			}
 			FILEDESC_XUNLOCK(fdesc);
-			free(fdep[0], M_FILECAPS);
+			if (newfds != 0)
+				free(fdep[0], M_FILECAPS);
 		} else {
 			/* We can just copy anything else across. */
 			if (error || controlp == NULL)
@ -1925,6 +1928,10 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
 				error = E2BIG;
 				goto out;
 			}
+			if (oldfds == 0) {
+				FILEDESC_SUNLOCK(fdesc);
+				break;
+			}
 			fdp = data;
 			fdep = (struct filedescent **)
 			    CMSG_DATA(mtod(*controlp, struct cmsghdr *));