Fix a use-after-free in soabort(). It would be better to kill SS_NOFDREF

and maintain a per-socket reference count, but SS_NOFDREF is slightly more than a simple reference count and I don't want to break anything.
2008-04-27 14:26:58 +00:00 · 2008-04-27 14:26:58 +00:00 · 12e587a1a3
parent 92cbb1b2af
commit 12e587a1a3
2 changed files with 13 additions and 4 deletions
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_socket.c,v 1.160 2008/04/24 11:38:36 ad Exp $	*/
+/*	$NetBSD: uipc_socket.c,v 1.161 2008/04/27 14:26:58 ad Exp $	*/

 /*-
 * Copyright (c) 2002, 2007, 2008 The NetBSD Foundation, Inc.
@ -70,7 +70,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.160 2008/04/24 11:38:36 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_socket.c,v 1.161 2008/04/27 14:26:58 ad Exp $");

 #include "opt_sock_counters.h"
 #include "opt_sosend_loan.h"
@ -594,6 +594,7 @@ solisten(struct socket *so, int backlog, struct lwp *l)
 void
 sofree(struct socket *so)
 {
+	u_int refs;

 	KASSERT(solocked(so));

@ -623,8 +624,10 @@ sofree(struct socket *so)
 	KASSERT(!cv_has_waiters(&so->so_rcv.sb_cv));
 	KASSERT(!cv_has_waiters(&so->so_snd.sb_cv));
 	sorflush(so);
+	refs = so->so_aborting;	/* XXX */
 	sounlock(so);
-	soput(so);
+	if (refs == 0)		/* XXX */
+		soput(so);
 }

 /*
@ -700,17 +703,22 @@ soclose(struct socket *so)
 int
 soabort(struct socket *so)
 {
+	u_int refs;
 	int error;
 	
 	KASSERT(solocked(so));
 	KASSERT(so->so_head == NULL);

+	so->so_aborting++;		/* XXX */
 	error = (*so->so_proto->pr_usrreq)(so, PRU_ABORT, NULL,
 	    NULL, NULL, NULL);
+	refs = --so->so_aborting;	/* XXX */
 	if (error) {
 		sofree(so);
 	} else {
 		sounlock(so);
+		if (refs == 0) 
+			sofree(so);
 	}
 	return error;
 }
--- a/sys/sys/socketvar.h
+++ b/sys/sys/socketvar.h
@ -1,4 +1,4 @@
-/*	$NetBSD: socketvar.h,v 1.105 2008/04/24 11:38:39 ad Exp $	*/
+/*	$NetBSD: socketvar.h,v 1.106 2008/04/27 14:26:58 ad Exp $	*/

 /*-
 * Copyright (c) 2008 The NetBSD Foundation, Inc.
@ -154,6 +154,7 @@ struct socket {
 	short		so_qlimit;	/* max number queued connections */
 	short		so_timeo;	/* connection timeout */
 	u_short		so_error;	/* error affecting connection */
+	u_short		so_aborting;	/* references from soabort() */
 	pid_t		so_pgid;	/* pgid for signals */
 	u_long		so_oobmark;	/* chars to oob mark */
 	struct sockbuf	so_snd;		/* send buffer */