Re: free(9) sizes for sysv_msg

Fri, 30 Nov 2018 10:03:02 -0800 

On 29/11/18(Thu) 22:42, Alexandre Ratchov wrote:
> On Thu, Nov 29, 2018 at 04:51:19PM -0200, Martin Pieuchot wrote:
> > Trivial one, ok?
> > 
> > Index: kern/sysv_msg.c
> > ===================================================================
> > RCS file: /cvs/src/sys/kern/sysv_msg.c,v
> > retrieving revision 1.33
> > diff -u -p -r1.33 sysv_msg.c
> > --- kern/sysv_msg.c 15 Sep 2016 02:00:16 -0000      1.33
> > +++ kern/sysv_msg.c 29 Nov 2018 18:47:05 -0000
> > @@ -699,7 +699,7 @@ sysctl_sysvmsg(int *name, u_int namelen,
> >                 msginfo.msgmni * sizeof(struct msqid_ds);
> >  
> 
> infolen is calculated twice; the first infolen calculation is used as
> argument to malloc(). Your diff makes the second one the size argument
> to free(), which doesn't seem correct.

Thanks for pointing that out.  Revised diff adding & using a different
variable.

Index: kern/sysv_msg.c
===================================================================
RCS file: /cvs/src/sys/kern/sysv_msg.c,v
retrieving revision 1.33
diff -u -p -r1.33 sysv_msg.c
--- kern/sysv_msg.c     15 Sep 2016 02:00:16 -0000      1.33
+++ kern/sysv_msg.c     30 Nov 2018 17:59:43 -0000
@@ -658,7 +658,7 @@ sysctl_sysvmsg(int *name, u_int namelen,
 {
        struct msg_sysctl_info *info;
        struct que *que;
-       size_t infolen;
+       size_t infolen, infolen0;
        int error;
 
        switch (*name) {
@@ -675,10 +675,10 @@ sysctl_sysvmsg(int *name, u_int namelen,
                 * message queues; for now, emulate this behavior
                 * until a more thorough fix can be made.
                 */
-               infolen = sizeof(msginfo) +
+               infolen0 = sizeof(msginfo) +
                    msginfo.msgmni * sizeof(struct msqid_ds);
                if (where == NULL) {
-                       *sizep = infolen;
+                       *sizep = infolen0;
                        return (0);
                }
 
@@ -692,14 +692,14 @@ sysctl_sysvmsg(int *name, u_int namelen,
                if (*sizep == sizeof(struct msginfo))
                        return (copyout(&msginfo, where, sizeof(msginfo)));
 
-               info = malloc(infolen, M_TEMP, M_WAIT|M_ZERO);
+               info = malloc(infolen0, M_TEMP, M_WAIT|M_ZERO);
 
                /* if the malloc slept, this may have changed */
                infolen = sizeof(msginfo) +
                    msginfo.msgmni * sizeof(struct msqid_ds);
 
                if (*sizep < infolen) {
-                       free(info, M_TEMP, 0);
+                       free(info, M_TEMP, infolen0);
                        return (ENOMEM);
                }
 
@@ -716,7 +716,7 @@ sysctl_sysvmsg(int *name, u_int namelen,
 
                error = copyout(info, where, infolen);
 
-               free(info, M_TEMP, 0);
+               free(info, M_TEMP, infolen0);
 
                return (error);

Reply via email to