https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207629
Mark Johnston <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |[email protected] Status|New |Closed --- Comment #2 from Mark Johnston <[email protected]> --- Sorry that this didn't get attention when it was submitted. I think this has since been fixed by commit 712dda7fb0b83, though it's possible that something else mitigated it before that. > There is another possibility though; if `req->newlen` is `-12`, the > allocation will be 0, and the 2 writes in `pargs_alloc` will be out of bounds. An allocation length of zero will return a chunk of 16 bytes, so I don't think this could have resulted in an out-of-bounds write. -- You are receiving this mail because: You are the assignee for the bug.
