https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463
Kristof Provost <k...@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |k...@freebsd.org Assignee|freebsd-bugs@FreeBSD.org |k...@freebsd.org --- Comment #1 from Kristof Provost <k...@freebsd.org> --- I think your analysis is correct. The intention of the bcopy() appears to be to copy additional addresses behind the original list (hence the adds + size + i construction). You're correct that the buffer allocated by 'totlen = io->pfrio_size * sizeof(struct pfr_addr);' is too small for that. It's possible to panic a box that way. I don't think your fix is sufficient though. If user space provides a smaller pfrio_size2 than pfrio_size (remember that all user space programmers are out to get us!) then we'd still end up running outsize the allocated buffer. I think we need to allocate the largest of pfrio_size and pfrio_size2: https://reviews.freebsd.org/D5426 -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"