Page MenuHomeFreeBSD
Differential D47662

rtsock: fix panic in rtsock_msg_buffer()
ClosedPublic
Actions

Authored by glebius on Nov 18 2024, 8:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Feb 2, 11:58 AM
Unknown Object (File)
Sat, Jan 31, 3:22 PM
Unknown Object (File)
Sat, Jan 31, 2:21 AM
Unknown Object (File)
Jan 11 2026, 6:29 PM
Unknown Object (File)
Jan 10 2026, 6:36 PM
Unknown Object (File)
Jan 10 2026, 3:25 PM
Unknown Object (File)
Jan 10 2026, 5:46 AM
Unknown Object (File)
Jan 10 2026, 5:15 AM
View All 71 Files
Subscribers
ae
imp

Details

Reviewers
melifaro
Group Reviewers
network
Commits
rGdae64402b3e8: rtsock: fix panic in rtsock_msg_buffer()
Summary

The rtsock_msg_buffer() can be called without walkarg, just to calculate
required length. It can also be called with a degenerate walkarg, that
doesn't have a w_req. The latter happens when the function is called from
update_rtm_from_info() for the second time.

Zero init walkarg in update_rtm_from_info() and don't pass random stack
garbage as w_req.

In rtsock_msg_buffer() initialize compat32 boolean only once and take of
possible empty w_req. Simplify the rest of code once compat32 is already
set.

Reported-by: syzbot+d4a2682059e23179e76e@syzkaller.appspotmail.com
Reported-by: syzbot+66d7c9b3062e27a56f3f@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
net/
35 lines

Diff 146658

View Options

sys/net/rtsock.c

Loading...