Date: Fri, 13 Sep 2024 15:06:53 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 281483] [librt] timer_delete segfaults with incorrect timer id Message-ID: <bug-281483-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281483 Bug ID: 281483 Summary: [librt] timer_delete segfaults with incorrect timer id Product: Base System Version: 14.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: luc.techer64@gmail.com Calling timer_delete from librt with an uninitialised timer id causes a segmentation fault. As I understand it, "timer_t" is a typedef for "struct __timer *", so calli= ng=20 "timer_delete(0);" should be equivalent to calling timer_delete(NULL). In t= he timer_delete implementation, there is no NULL check prior to dereferencing = the provided timer id causing a segmentation fault. This also causes timer_dele= te to segfault when called twice with the same timer id. It would be more in line with the documentation to return -1 and set errno = to EINVAL in these cases. Invalid values for timer id other than NULL cannot be checked with the current implementation, maybe an API rework would be neces= sary to fix this ? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-281483-227>