1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
From 8cfdedee369c26d2869b6ec4a64460b5f5a30934 Mon Sep 17 00:00:00 2001
From: Thomas Markwalder <tmark@isc.org>
Date: Thu, 7 Dec 2017 11:39:30 -0500
Subject: [PATCH] [v4_3] Plugs a socket descriptor leak in OMAPI
Merges in rt46767.
Upstream-Status: Backport
[https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=5097bc0559f592683faac1f67bf350e1bddf6ed4]
CVE: CVE-2017-3144
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
RELNOTES | 7 +++++++
omapip/buffer.c | 9 +++++++++
omapip/message.c | 2 +-
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/RELNOTES b/RELNOTES
index dd40aaf..3741b80 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -66,6 +66,13 @@ We welcome comments from DHCP users, about this or anything else we do.
Email Vicky Risk, Product Manager at vicky@isc.org or discuss on
dhcp-users@lists.isc.org.
+- Plugged a socket descriptor leak in OMAPI, that can occur when there is
+ data pending to be written to an OMAPI connection, when the connection
+ is closed by the reader. Thanks to Pavel Zhukov at RedHat for bringing
+ this issue to our attention and whose patch helped guide us in the right
+ direction.
+ [ISc-Bugs #46767]
+
Changes since 4.3.6b1
- None
diff --git a/omapip/buffer.c b/omapip/buffer.c
index f7fdc32..809034d 100644
--- a/omapip/buffer.c
+++ b/omapip/buffer.c
@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h)
omapi_buffer_dereference (&buffer, MDL);
}
}
+
+ /* If we had data left to write when we're told to disconnect,
+ * we need recall disconnect, now that we're done writing.
+ * See rt46767. */
+ if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) {
+ omapi_disconnect (h, 1);
+ return ISC_R_SHUTTINGDOWN;
+ }
+
return ISC_R_SUCCESS;
}
diff --git a/omapip/message.c b/omapip/message.c
index 59ccdc2..21bcfc3 100644
--- a/omapip/message.c
+++ b/omapip/message.c
@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo)
}
#ifdef DEBUG_PROTOCOL
-static const char *omapi_message_op_name(int op) {
+const char *omapi_message_op_name(int op) {
switch (op) {
case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN";
case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH";
--
2.7.4
|
