Don't leave a dangling socket (no associated struct file) if

user supplied a bad name or anamelen parameter to accept(2). If bad paramaters were suplied and a copyout() failed, the struct file was cleaned up but not the associated socket. This could leave sockets in CLOSE_WAIT that could never be closed.
2006-08-22 13:39:48 +00:00 · 2006-08-22 13:39:48 +00:00 · eeb51ff4c3
parent 0bfc315592
commit eeb51ff4c3
1 changed files with 8 additions and 6 deletions
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $	*/
+/*	$NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1989, 1990, 1993
@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $");

 #include "opt_ktrace.h"
 #include "opt_pipe.h"
@ -240,10 +240,12 @@ sys_accept(struct lwp *l, void *v, register_t *retval)
 			namelen = nam->m_len;
 		/* SHOULD COPY OUT A CHAIN HERE */
 		if ((error = copyout(mtod(nam, caddr_t),
-		    (caddr_t)SCARG(uap, name), namelen)) == 0)
-			error = copyout((caddr_t)&namelen,
-			    (caddr_t)SCARG(uap, anamelen),
-			    sizeof(*SCARG(uap, anamelen)));
+		    (caddr_t)SCARG(uap, name), namelen)) != 0 ||
+		    (error = copyout((caddr_t)&namelen,
+		    (caddr_t)SCARG(uap, anamelen),
+		    sizeof(*SCARG(uap, anamelen)))) != 0) {
+			soclose(so);
+		}
 	}
 	/* if an error occurred, free the file descriptor */
 	if (error) {