Don't leave a dangling socket (no associated struct file) if

user supplied a bad name or anamelen parameter to accept(2).
If bad paramaters were suplied and a copyout() failed, the
struct file was cleaned up but not the associated socket.  This
could leave sockets in CLOSE_WAIT that could never be closed.
This commit is contained in:
seanb 2006-08-22 13:39:48 +00:00
parent 0bfc315592
commit eeb51ff4c3

View File

@ -1,4 +1,4 @@
/* $NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $ */
/* $NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1990, 1993
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $");
#include "opt_ktrace.h"
#include "opt_pipe.h"
@ -240,10 +240,12 @@ sys_accept(struct lwp *l, void *v, register_t *retval)
namelen = nam->m_len;
/* SHOULD COPY OUT A CHAIN HERE */
if ((error = copyout(mtod(nam, caddr_t),
(caddr_t)SCARG(uap, name), namelen)) == 0)
error = copyout((caddr_t)&namelen,
(caddr_t)SCARG(uap, anamelen),
sizeof(*SCARG(uap, anamelen)));
(caddr_t)SCARG(uap, name), namelen)) != 0 ||
(error = copyout((caddr_t)&namelen,
(caddr_t)SCARG(uap, anamelen),
sizeof(*SCARG(uap, anamelen)))) != 0) {
soclose(so);
}
}
/* if an error occurred, free the file descriptor */
if (error) {