base-linux: Fix use-after-free problem of ds fds

Fixes #717
This commit is contained in:
Norman Feske 2013-04-24 14:10:15 +02:00
parent 511cab6192
commit e39ff055ba
2 changed files with 16 additions and 1 deletions

View File

@ -41,6 +41,12 @@ inline int lx_unlink(const char *fname)
} }
inline int lx_dup(int fd)
{
return lx_syscall(SYS_dup, fd);
}
/******************************************************* /*******************************************************
** Functions used by core's rom-session support code ** ** Functions used by core's rom-session support code **
*******************************************************/ *******************************************************/

View File

@ -216,7 +216,16 @@ int Platform_env_base::Rm_session_mmap::_dataspace_fd(Capability<Dataspace> ds_c
ds_rpc(core_env()->entrypoint()->lookup_and_lock(lx_ds_cap)); ds_rpc(core_env()->entrypoint()->lookup_and_lock(lx_ds_cap));
Linux_dataspace * ds = dynamic_cast<Linux_dataspace *>(&*ds_rpc); Linux_dataspace * ds = dynamic_cast<Linux_dataspace *>(&*ds_rpc);
return ds ? ds->fd().dst().socket : -1; /*
* Return a duplicate of the dataspace file descriptor, which will be freed
* immediately after mmap'ing the file (see 'Rm_session_mmap').
*
* Handing out the original file descriptor would result in the premature
* release of the descriptor. So the descriptor could be reused (i.e., as a
* socket descriptor during the RPC handling). When later destroying the
* dataspace, the descriptor would unexpectedly be closed again.
*/
return ds ? lx_dup(ds->fd().dst().socket) : -1;
} }