Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Feb 2012 14:44:52 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r231823 - head/sys/netgraph
Message-ID:  <201202161444.q1GEiqvd021171@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: glebius
Date: Thu Feb 16 14:44:52 2012
New Revision: 231823
URL: http://svn.freebsd.org/changeset/base/231823

Log:
  In ng_getsockaddr() allocate memory prior to obtaining lock.
  
  Reported & tested by:	Mykola Dzham <i levsha.me>

Modified:
  head/sys/netgraph/ng_socket.c

Modified: head/sys/netgraph/ng_socket.c
==============================================================================
--- head/sys/netgraph/ng_socket.c	Thu Feb 16 14:42:35 2012	(r231822)
+++ head/sys/netgraph/ng_socket.c	Thu Feb 16 14:44:52 2012	(r231823)
@@ -490,33 +490,30 @@ ng_getsockaddr(struct socket *so, struct
 	int sg_len;
 	int error = 0;
 
-	/* Why isn't sg_data a `char[1]' ? :-( */
-	sg_len = sizeof(struct sockaddr_ng) - sizeof(sg->sg_data) + 1;
-
 	pcbp = sotongpcb(so);
 	if ((pcbp == NULL) || (pcbp->sockdata == NULL))
 		/* XXXGL: can this still happen? */
 		return (EINVAL);
 
+	sg_len = sizeof(struct sockaddr_ng) + NG_NODESIZ -
+	    sizeof(sg->sg_data);
+	sg = malloc(sg_len, M_SONAME, M_WAITOK | M_ZERO);
+
 	mtx_lock(&pcbp->sockdata->mtx);
 	if (pcbp->sockdata->node != NULL) {
 		node_p node = pcbp->sockdata->node;
-		int namelen = 0;	/* silence compiler! */
 
 		if (NG_NODE_HAS_NAME(node))
-			sg_len += namelen = strlen(NG_NODE_NAME(node));
-
-		sg = malloc(sg_len, M_SONAME, M_WAITOK | M_ZERO);
-
-		if (NG_NODE_HAS_NAME(node))
-			bcopy(NG_NODE_NAME(node), sg->sg_data, namelen);
+			bcopy(NG_NODE_NAME(node), sg->sg_data,
+			    strlen(NG_NODE_NAME(node)));
+		mtx_unlock(&pcbp->sockdata->mtx);
 
 		sg->sg_len = sg_len;
 		sg->sg_family = AF_NETGRAPH;
 		*addr = (struct sockaddr *)sg;
-		mtx_unlock(&pcbp->sockdata->mtx);
 	} else {
 		mtx_unlock(&pcbp->sockdata->mtx);
+		free(sg, M_SONAME);
 		error = EINVAL;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202161444.q1GEiqvd021171>