svn commit: r250890 - head/sys/kern

[Mateusz Guzik]

Author: mjg
Date: Tue May 21 21:58:00 2013
New Revision: 250890
URL: http://svnweb.freebsd.org/changeset/base/250890

Log:
  passing fd over unix socket: fix a corner case where caller
  wants to pass no descriptors.
  
  Previously the kernel would leak memory and try to free a potentially
  arbitrary pointer.
  
  Reviewed by:	pjd

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c	Tue May 21 21:50:11 2013	(r250889)
+++ head/sys/kern/uipc_usrreq.c	Tue May 21 21:58:00 2013	(r250890)
@@ -1686,6 +1686,8 @@ unp_freerights(struct filedescent **fdep
 	struct file *fp;
 	int i;
 
+	if (fdcount == 0)
+		return;
 	for (i = 0; i < fdcount; i++) {
 		fp = fdep[i]->fde_file;
 		filecaps_free(&fdep[i]->fde_caps);
@@ -1768,7 +1770,8 @@ unp_externalize(struct mbuf *control, st
 				unp_externalize_fp(fde->fde_file);
 			}
 			FILEDESC_XUNLOCK(fdesc);
-			free(fdep[0], M_FILECAPS);
+			if (newfds != 0)
+				free(fdep[0], M_FILECAPS);
 		} else {
 			/* We can just copy anything else across. */
 			if (error || controlp == NULL)
@@ -1925,6 +1928,10 @@ unp_internalize(struct mbuf **controlp, 
 				error = E2BIG;
 				goto out;
 			}
+			if (oldfds == 0) {
+				FILEDESC_SUNLOCK(fdesc);
+				break;
+			}
 			fdp = data;
 			fdep = (struct filedescent **)
 			    CMSG_DATA(mtod(*controlp, struct cmsghdr *));