bin/113881: [sysctl] Wrong memory usage
Alexander Drozdov
dzal_mail at mtu-net.ru
Wed Jun 20 14:20:23 UTC 2007
>Number: 113881
>Category: bin
>Synopsis: [sysctl] Wrong memory usage
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 20 14:20:21 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Alexander Drozdov
>Release: FreeBSD 6.2-RELEASE i386
>Organization:
Inline Telecom Solutions
>Environment:
FreeBSD sorcerer.bm.in-line.local 6.2-RELEASE FreeBSD 6.2-RELEASE #4: Mon Jan 15 16:56:39 MSK 2007 sorcerer at sorcerer.bm.in-line.local:/usr/obj/usr/src/sys/GENERIC i386
>Description:
There are bugs in /usr/src/sbin/sysctl/sysctl.c
1. In S_timeval():
It is needed to free() strdup()-ed string;
2. On sysctl_all():
I'm not sure but I think that name1 array length should be greater than name2 one on 2 because of copying data via memcpy() at the bottom of the function;
3. In show_var():
Printing freed data.
>How-To-Repeat:
Via valgrind, running
sysctl -a
>Fix:
A patch.
Patch attached with submission follows:
--- sysctl.c.orig Wed Jun 20 17:49:09 2007
+++ sysctl.c Wed Jun 20 17:58:27 2007
@@ -372,6 +372,7 @@
if (*p2 == '\n')
*p2 = '\0';
fputs(p1, stdout);
+ free(p1);
return (0);
}
@@ -684,10 +685,13 @@
else
func = NULL;
if (func) {
+ int rc;
+
if (!nflag)
printf("%s%s", name, sep);
+ rc = (*func)(len, p);
free(oval);
- return ((*func)(len, p));
+ return (rc);
}
/* FALLTHROUGH */
default:
@@ -712,7 +716,7 @@
static int
sysctl_all (int *oid, int len)
{
- int name1[22], name2[22];
+ int name1[24], name2[22];
int i, j;
size_t l1, l2;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list