From a1b0a18096532f280de87bfd5351698e651b7e56 Mon Sep 17 00:00:00 2001 From: Ruslan Ermilov Date: Sat, 14 Oct 2006 19:01:55 +0000 Subject: [PATCH] Prevent IOC_IN with zero size argument (this is only supported if backward copatibility options are present) from attempting to free memory that wasn't allocated. This is an old bug, and previously it would attempt to free a null pointer. I noticed this bug when working on the previous revision, but forgot to fix it. Security: local DoS Reported by: Peter Holm MFC after: 3 days --- sys/kern/sys_generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c index cab79b8466a1..841b8e0beb50 100644 --- a/sys/kern/sys_generic.c +++ b/sys/kern/sys_generic.c @@ -565,7 +565,8 @@ ioctl(struct thread *td, struct ioctl_args *uap) if (com & IOC_IN) { error = copyin(uap->data, data, (u_int)size); if (error) { - free(data, M_IOCTLOPS); + if (size > 0) + free(data, M_IOCTLOPS); return (error); } } else if (com & IOC_OUT) {