The context I came upon this question is dbus filedescriptor passing but the question is valid more broadly. Assume you are implementing some service that is supposed to receive some kind of filedescriptor for client processes. You get a message that is in some kind or another malformed but you have already received the filedescriptor.

What do you do with that fd? Is close()ing it guaranteed to be enough?

The question was sparked by a safety comment on rusts abstraction of a OwnedFd, which will run close() in its destructor and binds you by contract to only create it from a filedescriptor if close is all that is needed for cleanup.

This of course made me worry about the possibility of malicious clients sending special filedescriptors that accumulate some kind of ressource on the server process causing some kind of DOS.

I guess a secondary question is: Do you know any example where calling close() is not enough?

  • Killing_Spark@feddit.deOP
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Just not handling the filedescriptors isn’t really an option though. They should at least be closed to ensure the process doesn’t run out of filedescriptors which would be a pretty easy way of DOS’ing that service