From eeb51ff4c3206b66859d4cfc5abb689635313cb0 Mon Sep 17 00:00:00 2001 From: seanb Date: Tue, 22 Aug 2006 13:39:48 +0000 Subject: [PATCH] Don't leave a dangling socket (no associated struct file) if user supplied a bad name or anamelen parameter to accept(2). If bad paramaters were suplied and a copyout() failed, the struct file was cleaned up but not the associated socket. This could leave sockets in CLOSE_WAIT that could never be closed. --- sys/kern/uipc_syscalls.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2d2f01aac562..f65f97867b19 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $ */ +/* $NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $ */ /* * Copyright (c) 1982, 1986, 1989, 1990, 1993 @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.101 2006/07/23 22:06:11 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.102 2006/08/22 13:39:48 seanb Exp $"); #include "opt_ktrace.h" #include "opt_pipe.h" @@ -240,10 +240,12 @@ sys_accept(struct lwp *l, void *v, register_t *retval) namelen = nam->m_len; /* SHOULD COPY OUT A CHAIN HERE */ if ((error = copyout(mtod(nam, caddr_t), - (caddr_t)SCARG(uap, name), namelen)) == 0) - error = copyout((caddr_t)&namelen, - (caddr_t)SCARG(uap, anamelen), - sizeof(*SCARG(uap, anamelen))); + (caddr_t)SCARG(uap, name), namelen)) != 0 || + (error = copyout((caddr_t)&namelen, + (caddr_t)SCARG(uap, anamelen), + sizeof(*SCARG(uap, anamelen)))) != 0) { + soclose(so); + } } /* if an error occurred, free the file descriptor */ if (error) {