Project

General

Profile

Actions

Bug #2136

open

socketpair() doesn't free file descriptors on copyout failure

Added by vsrinivas about 10 years ago. Updated over 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Hi,

sys_socketpair() has a copyout() to copy two file descriptors back to userspace;
if this copyout fails, the socketpair file descriptors are not freed.

-- vs


Files

Actions #1

Updated by vsrinivas about 10 years ago

Same bug is present in linux_socketpair().

Actions #2

Updated by vsrinivas about 10 years ago

8b8ad3364067a0c4a6471fcdb98593e563ab6d31 should fix for the BSD ops vector;
linux_socketpair still needs a fix.

Actions #3

Updated by jerome over 8 years ago

Here is a patch that, I think, fix linux_socketpair(), in the same way sys_socketpair() was fixed.

---
sys/emulation/linux/linux_socket.c | 9 ++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/emulation/linux/linux_socket.c b/sys/emulation/linux/linux_socket.c
index b60870a..55644aa 100644
--- a/sys/emulation/linux/linux_socket.c
+++ b/sys/emulation/linux/linux_socket.c
@ -556,8 +556,15 @ linux_socketpair(struct linux_socketpair_args *args, int *res)
error = kern_socketpair(domain, linux_args.type, linux_args.protocol,
sockv);

- if (error 0)
+ if (error 0) {
error = copyout(sockv, linux_args.rsv, sizeof(sockv));
+
+ if (error != 0) {
+ kern_close(sockv0);
+ kern_close(sockv1);
+ }
+ }
+
return(error);
}

--

Actions

Also available in: Atom PDF