The context I came upon this question is dbus filedescriptor passing but the question is valid more broadly. Assume you are implementing some service that is supposed to receive some kind of filedescriptor for client processes. You get a message that is in some kind or another malformed but you have already received the filedescriptor.
What do you do with that fd? Is close()
ing it guaranteed to be enough?
The question was sparked by a safety comment on rusts abstraction of a OwnedFd, which will run close()
in its destructor and binds you by contract to only create it from a filedescriptor if close
is all that is needed for cleanup.
This of course made me worry about the possibility of malicious clients sending special filedescriptors that accumulate some kind of ressource on the server process causing some kind of DOS.
I guess a secondary question is: Do you know any example where calling close()
is not enough?
I think your last question is what I would focus on. There’s not much you can do with malformed anything unless you’re expecting, so I don’t know what else you would do aside from throw an exception and move on.
Just not handling the filedescriptors isn’t really an option though. They should at least be closed to ensure the process doesn’t run out of filedescriptors which would be a pretty easy way of DOS’ing that service
Yes, I’m agreeing. You should be closing any open resources as part of your usual logic.