The context I came upon this question is dbus filedescriptor passing but the question is valid more broadly. Assume you are implementing some service that is supposed to receive some kind of filedescriptor for client processes. You get a message that is in some kind or another malformed but you have already received the filedescriptor.
What do you do with that fd? Is close()
ing it guaranteed to be enough?
The question was sparked by a safety comment on rusts abstraction of a OwnedFd, which will run close()
in its destructor and binds you by contract to only create it from a filedescriptor if close
is all that is needed for cleanup.
This of course made me worry about the possibility of malicious clients sending special filedescriptors that accumulate some kind of ressource on the server process causing some kind of DOS.
I guess a secondary question is: Do you know any example where calling close()
is not enough?
Removed by mod