mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Improve r250890, so that we stop processing of a message with zero
descriptors as early as possible, and assert that number of descriptors is positive in unp_freerights(). Reviewed by: mjg, pjd, jilles
This commit is contained in:
parent
ab1aa38b02
commit
82e825c4c9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=251374
@ -1686,8 +1686,8 @@ unp_freerights(struct filedescent **fdep, int fdcount)
|
|||||||
struct file *fp;
|
struct file *fp;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (fdcount == 0)
|
KASSERT(fdcount > 0, ("%s: fdcount %d", __func__, fdcount));
|
||||||
return;
|
|
||||||
for (i = 0; i < fdcount; i++) {
|
for (i = 0; i < fdcount; i++) {
|
||||||
fp = fdep[i]->fde_file;
|
fp = fdep[i]->fde_file;
|
||||||
filecaps_free(&fdep[i]->fde_caps);
|
filecaps_free(&fdep[i]->fde_caps);
|
||||||
@ -1725,6 +1725,8 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
|
|||||||
if (cm->cmsg_level == SOL_SOCKET
|
if (cm->cmsg_level == SOL_SOCKET
|
||||||
&& cm->cmsg_type == SCM_RIGHTS) {
|
&& cm->cmsg_type == SCM_RIGHTS) {
|
||||||
newfds = datalen / sizeof(*fdep);
|
newfds = datalen / sizeof(*fdep);
|
||||||
|
if (newfds == 0)
|
||||||
|
goto next;
|
||||||
fdep = data;
|
fdep = data;
|
||||||
|
|
||||||
/* If we're not outputting the descriptors free them. */
|
/* If we're not outputting the descriptors free them. */
|
||||||
@ -1770,8 +1772,7 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
|
|||||||
unp_externalize_fp(fde->fde_file);
|
unp_externalize_fp(fde->fde_file);
|
||||||
}
|
}
|
||||||
FILEDESC_XUNLOCK(fdesc);
|
FILEDESC_XUNLOCK(fdesc);
|
||||||
if (newfds != 0)
|
free(fdep[0], M_FILECAPS);
|
||||||
free(fdep[0], M_FILECAPS);
|
|
||||||
} else {
|
} else {
|
||||||
/* We can just copy anything else across. */
|
/* We can just copy anything else across. */
|
||||||
if (error || controlp == NULL)
|
if (error || controlp == NULL)
|
||||||
@ -1894,6 +1895,8 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
|
|||||||
|
|
||||||
case SCM_RIGHTS:
|
case SCM_RIGHTS:
|
||||||
oldfds = datalen / sizeof (int);
|
oldfds = datalen / sizeof (int);
|
||||||
|
if (oldfds == 0)
|
||||||
|
break;
|
||||||
/*
|
/*
|
||||||
* Check that all the FDs passed in refer to legal
|
* Check that all the FDs passed in refer to legal
|
||||||
* files. If not, reject the entire operation.
|
* files. If not, reject the entire operation.
|
||||||
@ -1928,10 +1931,6 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
|
|||||||
error = E2BIG;
|
error = E2BIG;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (oldfds == 0) {
|
|
||||||
FILEDESC_SUNLOCK(fdesc);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
fdp = data;
|
fdp = data;
|
||||||
fdep = (struct filedescent **)
|
fdep = (struct filedescent **)
|
||||||
CMSG_DATA(mtod(*controlp, struct cmsghdr *));
|
CMSG_DATA(mtod(*controlp, struct cmsghdr *));
|
||||||
|
Loading…
Reference in New Issue
Block a user