[Bug 172675] [netinet] [patch] sysctl_tcp_hc_list (net.inet.tcp.hostcache.list) race condition causing memory corruption
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 13 20:58:07 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172675
John Baldwin <jhb at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhb at FreeBSD.org
--- Comment #6 from John Baldwin <jhb at FreeBSD.org> ---
Created attachment 151584
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151584&action=edit
sbuf_hc_list.patch
It is true that cache_count updates are very racy, and it might be worth fixing
them to be atomic. However, those would not prevent the corruption. If the
cache grew during the sysctl even with the atomic ops you could still overflow
the buffer.
I started out by adding explicit checks of 'p - buf >= bufsize' to break out of
the loop. However, the sbuf(9) API already provides a nice way to handle
variable output into a fixed size buffer while handling overflow correctly,
etc. I've attached a patch which takes this route and converts the sysctl to
use an sbuf instead. Please test.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list