diff options
| author | Ruslan Ermilov <ru@FreeBSD.org> | 2006-10-14 19:01:55 +0000 |
|---|---|---|
| committer | Ruslan Ermilov <ru@FreeBSD.org> | 2006-10-14 19:01:55 +0000 |
| commit | a1b0a18096532f280de87bfd5351698e651b7e56 (patch) | |
| tree | ee8d49e06e43a922845205b1c0b7dc7897fbd310 /sys/kern/sys_generic.c | |
| parent | c263eae028c78d20e32f2a53387ddd2521cc21db (diff) | |
| download | src-a1b0a18096532f280de87bfd5351698e651b7e56.tar.gz src-a1b0a18096532f280de87bfd5351698e651b7e56.zip | |
Prevent IOC_IN with zero size argument (this is only supported
if backward copatibility options are present) from attempting
to free memory that wasn't allocated. This is an old bug, and
previously it would attempt to free a null pointer. I noticed
this bug when working on the previous revision, but forgot to
fix it.
Security: local DoS
Reported by: Peter Holm
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=163355
Diffstat (limited to 'sys/kern/sys_generic.c')
| -rw-r--r-- | sys/kern/sys_generic.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index cab79b8466a1..841b8e0beb50 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -565,7 +565,8 @@ ioctl(struct thread *td, struct ioctl_args *uap) if (com & IOC_IN) { error = copyin(uap->data, data, (u_int)size); if (error) { - free(data, M_IOCTLOPS); + if (size > 0) + free(data, M_IOCTLOPS); return (error); } } else if (com & IOC_OUT) { |