kern/132104: kenv buffer overflow
Jaakko Heinonen
jh at saunalahti.fi
Wed Feb 25 11:00:12 PST 2009
The following reply was made to PR kern/132104; it has been noted by GNATS.
From: Jaakko Heinonen <jh at saunalahti.fi>
To: Dylan Cochran <a134qaed at gmail.com>
Cc: bug-followup at FreeBSD.org
Subject: Re: kern/132104: kenv buffer overflow
Date: Wed, 25 Feb 2009 20:56:26 +0200
Hi,
On 2009-02-25, Dylan Cochran wrote:
> This prevents the panic condition, but also increases the amount of
> time the mutex is held. Comments?
>
> mtx_lock(&kenv_lock);
> cp = _getenv_dynamic(name, NULL);
> if (cp != NULL) {
> - strcpy(buf, cp);
> - mtx_unlock(&kenv_lock);
> - len = strlen(buf) + 1;
> + len = strlen(cp) + 1;
> ret = malloc(len, M_KENV, M_WAITOK);
> - strcpy(ret, buf);
> + strcpy(ret, cp);
> + mtx_unlock(&kenv_lock);
malloc(9) with M_WAITOK flag could sleep. You are not allowed to sleep
while holding a mutex.
--
Jaakko
More information about the freebsd-bugs
mailing list