From bd508d391b5258e9ee145bc15161b62664c95fbb Mon Sep 17 00:00:00 2001
From: Don Lewis <truckman@FreeBSD.org>
Date: Mon, 10 May 1999 18:09:39 +0000
Subject: [PATCH] Fix descriptor leak provoked by KKIS.05051999.003b exploit
 code.

unp_internalize() takes a reference to the descriptor.  If the send
fails after unp_internalize(), the control mbuf would be freed ophaning
the reference.

Tested in -CURRENT by: Pierre Beyssac <beyssac@enst.fr>
---
 sys/kern/uipc_usrreq.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 52823bee2c6..2b18eb5a10f 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	From: @(#)uipc_usrreq.c	8.3 (Berkeley) 1/4/94
- *	$Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $
+ *	$Id: uipc_usrreq.c,v 1.43 1999/04/28 11:37:07 phk Exp $
  */
 
 #include <sys/param.h>
@@ -367,6 +367,9 @@ uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
 		unp_shutdown(unp);
 	}
 
+	if (control && error != 0)
+		unp_dispose(control);
+
 release:
 	if (control)
 		m_freem(control);