Bug #2136

socketpair() doesn't free file descriptors on copyout failure

Added by vsrinivas over 2 years ago. Updated about 1 year ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hi,

sys_socketpair() has a copyout() to copy two file descriptors back to userspace;
if this copyout fails, the socketpair file descriptors are not freed.

-- vs

0001-linux_socketpair-Free-socketpair-file-descriptors-if.patch Magnifier (936 Bytes) jerome, 04/05/2013 09:13 AM

History

#1 Updated by vsrinivas over 2 years ago

Same bug is present in linux_socketpair().

#2 Updated by vsrinivas over 2 years ago

8b8ad3364067a0c4a6471fcdb98593e563ab6d31 should fix for the BSD ops vector;
linux_socketpair still needs a fix.

#3 Updated by jerome about 1 year ago

Here is a patch that, I think, fix linux_socketpair(), in the same way sys_socketpair() was fixed.

---
sys/emulation/linux/linux_socket.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/emulation/linux/linux_socket.c b/sys/emulation/linux/linux_socket.c
index b60870a..55644aa 100644
--- a/sys/emulation/linux/linux_socket.c
+++ b/sys/emulation/linux/linux_socket.c
@@ -556,8 +556,15 @@ linux_socketpair(struct linux_socketpair_args *args, int *res)
error = kern_socketpair(domain, linux_args.type, linux_args.protocol,
sockv);

- if (error == 0)
+ if (error == 0) {
error = copyout(sockv, linux_args.rsv, sizeof(sockv));
+
+ if (error != 0) {
+ kern_close(sockv[0]);
+ kern_close(sockv[1]);
+ }
+ }
+
return(error);
}

--

Also available in: Atom PDF