FreeBSD fifo_vnops.c资源泄漏本地拒绝服务漏洞
发布日期:2009-11-06
更新日期:2009-11-09
受影响系统:
FreeBSD FreeBSD 8.x
FreeBSD FreeBSD 7.x
FreeBSD FreeBSD 6.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 36949
FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。
FreeBSD的usr/src/sys/fs/fifofs/fifo_vnops.c文件中存在资源泄漏漏洞:
/*
* Open called to set up a new instance of a fifo or
* to find an active instance of a fifo.
*/
/* ARGSUSED */
static int
fifo_open(ap)
struct vop_open_args /* {
struct vnode *a_vp;
int a_mode;
struct ucred *a_cred;
struct thread *a_td;
struct file *a_fp;
} */ *ap;
{
struct vnode *vp = ap->a_vp;
struct fifoinfo *fip;
struct thread *td = ap->a_td;
struct ucred *cred = ap->a_cred;
struct file *fp = ap->a_fp;
struct socket *rso, *wso;
int error;
...
if ((fip = vp->v_fifoinfo) == NULL) {
...
}
...
if (ap->a_mode & FWRITE) {
if ((ap->a_mode & O_NONBLOCK) && fip->fi_readers == 0) {
mtx_unlock(&fifo_mtx);
return (ENXIO);
}
fip->fi_writers++;
if (fip->fi_writers == 1) {
SOCKBUF_LOCK(&fip->fi_readsock->so_rcv);
fip->fi_readsock->so_rcv.sb_state &= ~SBS_CANTRCVMORE;
SOCKBUF_UNLOCK(&fip->fi_readsock->so_rcv);
if (fip->fi_readers > 0) {
wakeup(&fip->fi_readers);
sorwakeup(fip->fi_readsock);
}
}
}
...
if ((ap->a_mode & FWRITE) && fip->fi_readers == 0) {
VOP_UNLOCK(vp, 0);
error = msleep(&fip->fi_writers, &fifo_mtx,
PDROP | PCATCH | PSOCK, "fifoow", 0);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
if (error) {
fip->fi_writers--;
if (fip->fi_writers == 0) {
socantrcvmore(fip->fi_readsock);
mtx_lock(&fifo_mtx);
fip->fi_wgen++;
mtx_unlock(&fifo_mtx);
fifo_cleanup(vp);
}
return (error);
}
...
}