On 29/11/18(Thu) 22:42, Alexandre Ratchov wrote: > On Thu, Nov 29, 2018 at 04:51:19PM -0200, Martin Pieuchot wrote: > > Trivial one, ok? > > > > Index: kern/sysv_msg.c > > =================================================================== > > RCS file: /cvs/src/sys/kern/sysv_msg.c,v > > retrieving revision 1.33 > > diff -u -p -r1.33 sysv_msg.c > > --- kern/sysv_msg.c 15 Sep 2016 02:00:16 -0000 1.33 > > +++ kern/sysv_msg.c 29 Nov 2018 18:47:05 -0000 > > @@ -699,7 +699,7 @@ sysctl_sysvmsg(int *name, u_int namelen, > > msginfo.msgmni * sizeof(struct msqid_ds); > > > > infolen is calculated twice; the first infolen calculation is used as > argument to malloc(). Your diff makes the second one the size argument > to free(), which doesn't seem correct.
Thanks for pointing that out. Revised diff adding & using a different variable. Index: kern/sysv_msg.c =================================================================== RCS file: /cvs/src/sys/kern/sysv_msg.c,v retrieving revision 1.33 diff -u -p -r1.33 sysv_msg.c --- kern/sysv_msg.c 15 Sep 2016 02:00:16 -0000 1.33 +++ kern/sysv_msg.c 30 Nov 2018 17:59:43 -0000 @@ -658,7 +658,7 @@ sysctl_sysvmsg(int *name, u_int namelen, { struct msg_sysctl_info *info; struct que *que; - size_t infolen; + size_t infolen, infolen0; int error; switch (*name) { @@ -675,10 +675,10 @@ sysctl_sysvmsg(int *name, u_int namelen, * message queues; for now, emulate this behavior * until a more thorough fix can be made. */ - infolen = sizeof(msginfo) + + infolen0 = sizeof(msginfo) + msginfo.msgmni * sizeof(struct msqid_ds); if (where == NULL) { - *sizep = infolen; + *sizep = infolen0; return (0); } @@ -692,14 +692,14 @@ sysctl_sysvmsg(int *name, u_int namelen, if (*sizep == sizeof(struct msginfo)) return (copyout(&msginfo, where, sizeof(msginfo))); - info = malloc(infolen, M_TEMP, M_WAIT|M_ZERO); + info = malloc(infolen0, M_TEMP, M_WAIT|M_ZERO); /* if the malloc slept, this may have changed */ infolen = sizeof(msginfo) + msginfo.msgmni * sizeof(struct msqid_ds); if (*sizep < infolen) { - free(info, M_TEMP, 0); + free(info, M_TEMP, infolen0); return (ENOMEM); } @@ -716,7 +716,7 @@ sysctl_sysvmsg(int *name, u_int namelen, error = copyout(info, where, infolen); - free(info, M_TEMP, 0); + free(info, M_TEMP, infolen0); return (error);