Date: Fri, 20 Oct 2023 16:57:55 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274614] Issues with retry loop in pfctl_do_ioctl() Message-ID: <bug-274614-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274614 Bug ID: 274614 Summary: Issues with retry loop in pfctl_do_ioctl() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: nreilly@blackberry.com The retry loop in pfctl_do_ioctl() is problematic. "data" is allocated outside the loop vi nvlist_pack() and then freed inside= on the first time through. If ENOSPC is returned from the ioctl() then it goes= to the retry and will now attempt to memcpy() the previously freed data before freeing it again. There was a recent fix just before the retry loop https://cgit.freebsd.org/src/commit/lib/libpfctl/libpfctl.c?id=3D6422599e74= db4bb8b47cead46760d96601d8396a without that there are even more problems where the memcpy() of nvlen could= be greater than the malloc() of size. This fix means that simply moving the re= try label up above the nvlist_pack() will not work as that would then undo the increasing of size on the retry. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274614-227>