From owner-freebsd-bugs@FreeBSD.ORG  Sun May  8 13:50:04 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 86FAF16A4F2
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  8 May 2005 13:50:04 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BB5343D75
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  8 May 2005 13:50:04 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j48Do3id004293
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 8 May 2005 13:50:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j48Do3Gb004291;
	Sun, 8 May 2005 13:50:03 GMT
	(envelope-from gnats)
Resent-Date: Sun, 8 May 2005 13:50:03 GMT
Resent-Message-Id: <200505081350.j48Do3Gb004291@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, hselasky@c2i.net
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5253716A4E2
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  8 May 2005 13:44:21 +0000 (GMT)
Received: from swip.net (mailfe03.swip.net [212.247.154.65])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B8C3843D9B
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  8 May 2005 13:44:20 +0000 (GMT)
	(envelope-from hselasky@c2i.net)
Received: from mp-217-229-50.daxnet.no ([193.217.229.50] verified)
	by mailfe03.swip.net (CommuniGate Pro SMTP 4.3c5)
	with ESMTP id 163444089 for FreeBSD-gnats-submit@freebsd.org;
	Sun, 08 May 2005 15:44:17 +0200
Message-Id: <200505081545.01840.hselasky@c2i.net>
Date: Sun, 8 May 2005 15:45:00 +0200
From: Hans Petter Selasky <hselasky@c2i.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: kern/80775: sysctl_handle_string should have a timeout
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: hselasky@c2i.net
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 May 2005 13:50:04 -0000


>Number:         80775
>Category:       kern
>Synopsis:       sysctl_handle_string should have a timeout
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 08 13:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     HPS
>Release:        FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET 
2005 root@:/usr/obj/usr/src/sys/custom i386

>Description:

File: /sys/kern/kern_sysctl.c 

int
sysctl_handle_string(SYSCTL_HANDLER_ARGS)
{
        int error=0;
        char *tmparg;
        size_t outlen;

        /*
         * Attempt to get a coherent snapshot by copying to a
         * temporary kernel buffer.
         */
retry:
        outlen = strlen((char *)arg1)+1;
        tmparg = malloc(outlen, M_SYSCTLTMP, M_WAITOK);

        if (strlcpy(tmparg, (char *)arg1, outlen) >= outlen) {
                free(tmparg, M_SYSCTLTMP);
                goto retry;
        }

        error = SYSCTL_OUT(req, tmparg, outlen);
        free(tmparg, M_SYSCTLTMP);


When a device detaches strings can be left in freed memory, so 
"sysctl_handle_string" shouldn't try forever. Also the thread updating the 
string can sleep.

>How-To-Repeat:

>Fix:

Should have a timeout count and something like:

u_int8_t to = 255;

if(to--)
goto retry;
else return EINVAL;
>Release-Note:
>Audit-Trail:
>Unformatted: