| From 8cfdedee369c26d2869b6ec4a64460b5f5a30934 Mon Sep 17 00:00:00 2001 |
| From: Thomas Markwalder <tmark@isc.org> |
| Date: Thu, 7 Dec 2017 11:39:30 -0500 |
| Subject: [PATCH] [v4_3] Plugs a socket descriptor leak in OMAPI |
| |
| Merges in rt46767. |
| |
| Upstream-Status: Backport |
| [https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=5097bc0559f592683faac1f67bf350e1bddf6ed4] |
| |
| CVE: CVE-2017-3144 |
| |
| Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> |
| Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| --- |
| RELNOTES | 7 +++++++ |
| omapip/buffer.c | 9 +++++++++ |
| omapip/message.c | 2 +- |
| 3 files changed, 17 insertions(+), 1 deletion(-) |
| |
| diff --git a/RELNOTES b/RELNOTES |
| index dd40aaf..3741b80 100644 |
| --- a/RELNOTES |
| +++ b/RELNOTES |
| @@ -66,6 +66,13 @@ We welcome comments from DHCP users, about this or anything else we do. |
| Email Vicky Risk, Product Manager at vicky@isc.org or discuss on |
| dhcp-users@lists.isc.org. |
| |
| +- Plugged a socket descriptor leak in OMAPI, that can occur when there is |
| + data pending to be written to an OMAPI connection, when the connection |
| + is closed by the reader. Thanks to Pavel Zhukov at RedHat for bringing |
| + this issue to our attention and whose patch helped guide us in the right |
| + direction. |
| + [ISc-Bugs #46767] |
| + |
| Changes since 4.3.6b1 |
| |
| - None |
| diff --git a/omapip/buffer.c b/omapip/buffer.c |
| index f7fdc32..809034d 100644 |
| --- a/omapip/buffer.c |
| +++ b/omapip/buffer.c |
| @@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h) |
| omapi_buffer_dereference (&buffer, MDL); |
| } |
| } |
| + |
| + /* If we had data left to write when we're told to disconnect, |
| + * we need recall disconnect, now that we're done writing. |
| + * See rt46767. */ |
| + if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) { |
| + omapi_disconnect (h, 1); |
| + return ISC_R_SHUTTINGDOWN; |
| + } |
| + |
| return ISC_R_SUCCESS; |
| } |
| |
| diff --git a/omapip/message.c b/omapip/message.c |
| index 59ccdc2..21bcfc3 100644 |
| --- a/omapip/message.c |
| +++ b/omapip/message.c |
| @@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo) |
| } |
| |
| #ifdef DEBUG_PROTOCOL |
| -static const char *omapi_message_op_name(int op) { |
| +const char *omapi_message_op_name(int op) { |
| switch (op) { |
| case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN"; |
| case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH"; |
| -- |
| 2.7.4 |
| |