CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Mark Johnston <markj@FreeBSD.org>
	Fri, 10 Apr 2020 20:41:59 +0000 (20:41 +0000)
committer	Mark Johnston <markj@FreeBSD.org>
	Fri, 10 Apr 2020 20:41:59 +0000 (20:41 +0000)
commit	a50b1900a02f1e279cc5822d06af90e704bc32db
tree	e15d38372132758dc70ac0b8af4bca3c1431d1d4	tree \| snapshot
parent	8fe63c2af8ed64892befbd2bacb6cac8b4315f8e	commit \| diff

Properly handle disconnected sockets in uipc_ready().

When transmitting over a unix socket, data is placed directly into the
receiving socket's receive buffer, instead of the transmitting socket's
send buffer.  This means that when pru_ready is called during
sendfile(), the passed socket does not contain M_NOTREADY mbufs in its
buffers; uipc_ready() must locate the linked socket.

Currently uipc_ready() frees the mbufs if the socket is disconnected,
but this is wrong since the mbufs may still be present in the receiving
socket's buffer after a disconnect.  This can result in a use-after-free
and potentially a double free if the receive buffer is flushed after
uipc_ready() frees the mbufs.

Fix the problem by trying harder to locate the correct socket buffer and
calling sbready(): use the global list of SOCK_STREAM unix sockets to
search for a sockbuf containing the now-ready mbufs.  Only free the
mbufs if we fail this search.

Reviewed by: jah, kib
Reported and tested by: pho
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D24332