https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463
Kristof Provost <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Assignee|[email protected] |[email protected] --- Comment #1 from Kristof Provost <[email protected]> --- I think your analysis is correct. The intention of the bcopy() appears to be to copy additional addresses behind the original list (hence the adds + size + i construction). You're correct that the buffer allocated by 'totlen = io->pfrio_size * sizeof(struct pfr_addr);' is too small for that. It's possible to panic a box that way. I don't think your fix is sufficient though. If user space provides a smaller pfrio_size2 than pfrio_size (remember that all user space programmers are out to get us!) then we'd still end up running outsize the allocated buffer. I think we need to allocate the largest of pfrio_size and pfrio_size2: https://reviews.freebsd.org/D5426 -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
