Date: Sat, 16 Jul 2016 22:02:37 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207627] Negative array index in ctl.c Message-ID: <bug-207627-8-x8RnnfHTWe@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207627-8@https.bugs.freebsd.org/bugzilla/> References: <bug-207627-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207627 --- Comment #2 from rday <ryan@ryanday.net> --- Comment on attachment 172594 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=172594 Proposed patch for #207627 After looking over the code I wanted to propose a patch to fix this problem. If the name length or value length was 0, a negative array index would occur while checking for a NUL terminator. This patch adds a check preventing a 0 name length or value length. Since the length of value shouldn't be negative, this patch changes the type of namelen and vallen to unsigned. If memory couldn't be allocated for the argument name or value, the bailout path would attempt to free() a null pointer. This patch adds a check to prevent that from happening. I also updated some comments detailing which values need a nul termination. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207627-8-x8RnnfHTWe>