From unicorn@Unicorn.Forest.Od.UA  Mon Mar 12 03:24:20 2001
Return-Path: <unicorn@Unicorn.Forest.Od.UA>
Received: from Unicorn.Forest.Od.UA (Forest-2M-EuroPort.Forest.Od.UA [195.138.69.214])
	by hub.freebsd.org (Postfix) with ESMTP id 66F4237B719
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 12 Mar 2001 03:24:16 -0800 (PST)
	(envelope-from unicorn@Unicorn.Forest.Od.UA)
Received: (from unicorn@localhost)
	by Unicorn.Forest.Od.UA (8.11.3/8.11.3) id f2CBOLZ99380
	for FreeBSD-gnats-submit@freebsd.org; Mon, 12 Mar 2001 13:24:21 +0200 (EET)
	(envelope-from unicorn)
Message-Id: <200103121124.f2CBOLZ99380@Unicorn.Forest.Od.UA>
Date: Mon, 12 Mar 2001 13:24:21 +0200 (EET)
From: unicorn@Forest.Od.UA
Reply-To: unicorn@Forest.Od.UA
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Patch against crash caused by operations with half-binded sockets.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         25732
>Category:       kern
>Synopsis:       Patch against crash caused by operations with half-binded sockets.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 12 03:30:01 PST 2001
>Closed-Date:    Mon Mar 12 13:23:17 PST 2001
>Last-Modified:  Mon Mar 12 13:23:33 PST 2001
>Originator:     Winged Unicorn
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Valhala
>Environment:
System: FreeBSD Unicorn.Forest.Od.UA 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Feb 21 20:56:33 EET 2001 root@Unicorn.Forest.Od.UA:/usr/src/sys/compile/FOREST i386

	Working jail environment with NIS/YP installed.
>Description:
	If bind() call fails to allocate port due `prison_ip' permission failure,
	socket left in half-binded state (bind returns an error, but doesn't
	undo socket state (in case of failure bind should left
	inp_laddr.s_addr == INADDR_ANY && inp_lport == 0, indicating, that socket
	is NOT yet binded)). In upper case `bind' aborted, left in binded state, 
	but doesn't inserted in hashlists (in_pcbinshash). Any operations with 
	such sockets will cause dereferencing of hash pointers and lead to crash.
>How-To-Repeat:
	In jail with NIS/YP environment type `id some_nis_user'.
>Fix:
	`cvs diff in_pcb.c' follows:

Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.81
diff -r1.81 in_pcb.c
275c275,281
< 			if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr ))
---
> 			if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr )) {
> 				/*
> 				 * Undo any address bind that may have
> 				 * occurred above.
> 				 */
> 				inp->inp_laddr.s_addr = INADDR_ANY;
> 
276a283
> 			}
284c291,296
< 			if (p && (error = suser_xxx(0, p, PRISON_ROOT)))
---
> 			if (p && (error = suser_xxx(0, p, PRISON_ROOT))) {
> 				/*
> 				 * Undo any address bind that may have
> 				 * occurred above.
> 				 */
> 				inp->inp_laddr.s_addr = INADDR_ANY;
285a298
> 			}
309,312d321
< 					/*
< 					 * Undo any address bind that may have
< 					 * occurred above.
< 					 */
346,347c355,361
< 	if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr))
< 		return(EINVAL);
---
> 	
> 	if (prison_ip(p->p_ucred, 0, &inp->inp_laddr.s_addr)) {
> 		inp->inp_laddr.s_addr = INADDR_ANY;
> 		inp->inp_lport = 0;
> 		return (EINVAL);
> 	}
> 	
>Release-Note:
>Audit-Trail:

From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: unicorn@Forest.Od.UA
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/25732: Patch against crash caused by operations with half-binded sockets. 
Date: Mon, 12 Mar 2001 12:43:22 +0100

 Please use "diff -u" and resubmit the patch.
 
 --
 Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
 phk@FreeBSD.ORG         | TCP/IP since RFC 956
 FreeBSD committer       | BSD since 4.3-tahoe    
 Never attribute to malice what can adequately be explained by incompetence.
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Mon Mar 12 13:23:17 PST 2001 
State-Changed-Why:  
Please see PR 25751 instead. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25732 
>Unformatted:
