[Midnightbsd-cvs] src [12219] trunk/sys/kern/uipc_mqueue.c: System calls operating on file descriptors obtain a reference to

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Wed Jul 24 23:18:13 EDT 2019 

Revision: 12219
          http://svnweb.midnightbsd.org/src/?rev=12219
Author:   laffer1
Date:     2019-07-24 23:18:12 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.

Modified Paths:
--------------
    trunk/sys/kern/uipc_mqueue.c

Modified: trunk/sys/kern/uipc_mqueue.c
===================================================================
--- trunk/sys/kern/uipc_mqueue.c	2019-07-24 22:55:45 UTC (rev 12218)
+++ trunk/sys/kern/uipc_mqueue.c	2019-07-25 03:18:12 UTC (rev 12219)
@@ -2266,7 +2266,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2273,6 +2273,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2291,7 +2292,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets, sizeof(ets));
 		if (error != 0)
-			return (error);
+			goto out;
 		abs_timeout = &ets;
 	} else
 		abs_timeout = NULL;
@@ -2298,6 +2299,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
@@ -2835,7 +2837,7 @@
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
 		if (error != 0)
-			return (error);
+			goto out;
 		CP(ets32, ets, tv_sec);
 		CP(ets32, ets, tv_nsec);
 		abs_timeout = &ets;
@@ -2844,6 +2846,7 @@
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }

More information about the Midnightbsd-cvs mailing list