[Bug 131876] [socket] FD leak by receiving SCM_RIGHTS by recvmsg with small control message buffer

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=131876

Mark Johnston <markj at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|rwatson at FreeBSD.org         |freebsd-net at FreeBSD.org
                 CC|                            |markj at FreeBSD.org
             Status|In Progress                 |Open

--- Comment #3 from Mark Johnston <markj at FreeBSD.org> ---
It looks to me as though the loop in kern_recvit() which sets MSG_CTRUNC needs
to use dom_dispose to ensure that the remaining rights are closed before the
mbuf is
freed. Unfortunately, dom_dispose wants a socket rather than an mbuf - this was
changed in r285522 to fix a race between unp_dispose() and unp_gc(). However,
in this case the truncated mbuf will have already been removed from the socket
buffer, so we don't need to worry about the race. (If MSG_PEEK is set, the
rights will still be present in the sockbuf and we needn't do anything.)

So, to fix this we'd either need a way to invoke dom_dispose on a plain mbuf
(i.e., the KPI prior to r285522), or we need to fake up a socket like
sorflush() does.

-- 
You are receiving this mail because:
You are the assignee for the bug.