bin/113881: [sysctl] Wrong memory usage

Alexander Drozdov dzal_mail at mtu-net.ru
Wed Jun 20 14:20:23 UTC 2007


>Number:         113881
>Category:       bin
>Synopsis:       [sysctl] Wrong memory usage
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 20 14:20:21 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Drozdov
>Release:        FreeBSD 6.2-RELEASE i386
>Organization:
Inline Telecom Solutions
>Environment:
FreeBSD sorcerer.bm.in-line.local 6.2-RELEASE FreeBSD 6.2-RELEASE #4: Mon Jan 15 16:56:39 MSK 2007     sorcerer at sorcerer.bm.in-line.local:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
There are bugs in /usr/src/sbin/sysctl/sysctl.c

1. In S_timeval():
   It is needed to free() strdup()-ed string;
2. On sysctl_all():
   I'm not sure but I think that name1 array length should be greater than name2 one on 2 because of copying data via memcpy() at the bottom of the function;
3. In show_var():
   Printing freed data.
>How-To-Repeat:
Via valgrind, running

sysctl -a
>Fix:
A patch.

Patch attached with submission follows:

--- sysctl.c.orig	Wed Jun 20 17:49:09 2007
+++ sysctl.c	Wed Jun 20 17:58:27 2007
@@ -372,6 +372,7 @@
 		if (*p2 == '\n')
 			*p2 = '\0';
 	fputs(p1, stdout);
+	free(p1);
 	return (0);
 }
 
@@ -684,10 +685,13 @@
 		else
 			func = NULL;
 		if (func) {
+			int rc;
+
 			if (!nflag)
 				printf("%s%s", name, sep);
+			rc = (*func)(len, p);
 			free(oval);
-			return ((*func)(len, p));
+			return (rc);
 		}
 		/* FALLTHROUGH */
 	default:
@@ -712,7 +716,7 @@
 static int
 sysctl_all (int *oid, int len)
 {
-	int name1[22], name2[22];
+	int name1[24], name2[22];
 	int i, j;
 	size_t l1, l2;
 


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list