Some socket syscalls fail to return an error on bad file-descriptor# argument

Discussion:

Tony Griffiths

2006-06-01 03:38:55 UTC

Description:

The sockfd_lookup_light() function does not set the return error status
on a particular failure mode when the passed-in fd# is erroneous.

Environment:

2.6.16 kernel with the -mm2 patch-set applied. Linux 2.6.17 kernels are
also affected. Without the fix, a number of tests in LTP fail! Any
program calling one of the syscalls listed below with a bad fd# will not
get an error return indicating that the syscall failed.

Fix:

The attached patch correctly sets *err = -EBADF if the attempt to map
the fd# to a file pointer returns NULL. The following syscalls are
affected-

bind()
listen()
accept()
connect()
getsockname()
getpeername()
setsockopt()
setsockopt()
shutdown()
sendmsg()
recvmsg()

Hua Zhong

2006-06-01 04:33:00 UTC

Permalink

This has been fixed in 2.6.17.

-----Original Message-----
Griffiths
Sent: Wednesday, May 31, 2006 8:39 PM
Subject: Some socket syscalls fail to return an error on bad
file-descriptor# argument
The sockfd_lookup_light() function does not set the return
error status on a particular failure mode when the passed-in
fd# is erroneous.
2.6.16 kernel with the -mm2 patch-set applied. Linux 2.6.17
kernels are also affected. Without the fix, a number of
tests in LTP fail! Any program calling one of the syscalls
listed below with a bad fd# will not get an error return
indicating that the syscall failed.
The attached patch correctly sets *err = -EBADF if the
attempt to map the fd# to a file pointer returns NULL. The
following syscalls are
affected-
bind()
listen()
accept()
connect()
getsockname()
getpeername()
setsockopt()
setsockopt()
shutdown()
sendmsg()
recvmsg()

Andrew Morton

2006-06-01 04:41:16 UTC

Permalink

On Thu, 01 Jun 2006 13:38:55 +1000

diff -urpN ./net/socket.c.orig ./net/socket.c
--- ./net/socket.c.orig 2006-06-01 10:28:30.000000000 +1000
+++ ./net/socket.c 2006-06-01 10:34:09.000000000 +1000
@@ -496,6 +496,8 @@ static struct socket *sockfd_lookup_ligh
if (sock)
return sock;
fput_light(file, *fput_needed);
+ } else {
+ *err = -EBADF;
}
return NULL;
}

Confused. That patch cannot make any difference to this function:

static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed)
{
struct file *file;
struct socket *sock;

*err = -EBADF;
file = fget_light(fd, fput_needed);
if (file) {
sock = sock_from_file(file, err);
if (sock)
return sock;
fput_light(file, *fput_needed);
}
return NULL;
}

James Morris

2006-06-01 07:21:02 UTC

Permalink

Yep, the code definitely looks correct in current LT git.

Post by Andrew Morton
static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed)
{
struct file *file;
struct socket *sock;
*err = -EBADF;
file = fget_light(fd, fput_needed);
if (file) {
sock = sock_from_file(file, err);
if (sock)
return sock;
fput_light(file, *fput_needed);
}
return NULL;
}

- James

--
James Morris
<***@namei.org>