mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-03 23:28:58 +00:00
Prevent IOC_IN with zero size argument (this is only supported
if backward copatibility options are present) from attempting to free memory that wasn't allocated. This is an old bug, and previously it would attempt to free a null pointer. I noticed this bug when working on the previous revision, but forgot to fix it. Security: local DoS Reported by: Peter Holm MFC after: 3 days
This commit is contained in:
parent
c263eae028
commit
a1b0a18096
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=163355
|
@ -565,7 +565,8 @@ ioctl(struct thread *td, struct ioctl_args *uap)
|
|||
if (com & IOC_IN) {
|
||||
error = copyin(uap->data, data, (u_int)size);
|
||||
if (error) {
|
||||
free(data, M_IOCTLOPS);
|
||||
if (size > 0)
|
||||
free(data, M_IOCTLOPS);
|
||||
return (error);
|
||||
}
|
||||
} else if (com & IOC_OUT) {
|
||||
|
|
Loading…
Reference in a new issue