Fix descriptor leak provoked by KKIS.05051999.003b exploit code.

unp_internalize() takes a reference to the descriptor. If the send fails after unp_internalize(), the control mbuf would be freed ophaning the reference. Tested in -CURRENT by: Pierre Beyssac <beyssac@enst.fr>
2026-05-28 04:12:45 -04:00 · 1999-05-10 18:09:39 +00:00 · 1999-05-10 18:09:39 +00:00 · bd508d391b
commit bd508d391b
parent 38fc822d7f
1 changed files with 4 additions and 1 deletions
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	From: @(#)uipc_usrreq.c	8.3 (Berkeley) 1/4/94
- *	$Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $
+ *	$Id: uipc_usrreq.c,v 1.43 1999/04/28 11:37:07 phk Exp $
 */

 #include <sys/param.h>
@ -367,6 +367,9 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
 		unp_shutdown(unp);
 	}

+	if (control && error != 0)
+		unp_dispose(control);
+
 release:
 	if (control)
 		m_freem(control);