https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985
--- Comment #1 from CTurt <[email protected]> --- To fix this bug, there should be a bound check on `req->oldlen` before calling `malloc`, such as the following: if (req->oldptr == NULL) return (SYSCTL_OUT(req, 0, bpf_bpfd_cnt * sizeof(*xbd))); if (bpf_bpfd_cnt == 0) return (SYSCTL_OUT(req, 0, 0)); + if (req->oldlen > 0x1000) + return EINVAL; xbdbuf = malloc(req->oldlen, M_BPF, M_WAITOK); -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
