Page MenuHomeFreeBSD
Differential D47662

rtsock: fix panic in rtsock_msg_buffer()
ClosedPublic
Actions

Authored by glebius on Nov 18 2024, 8:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 9, 7:20 AM
Unknown Object (File)
Sun, Nov 30, 12:22 AM
Unknown Object (File)
Sat, Nov 29, 10:34 PM
Unknown Object (File)
Sun, Nov 23, 9:32 PM
Unknown Object (File)
Nov 5 2025, 3:21 PM
Unknown Object (File)
Nov 1 2025, 1:26 PM
Unknown Object (File)
Oct 7 2025, 4:38 AM
Unknown Object (File)
Oct 4 2025, 3:29 AM
View All 60 Files
Subscribers
ae
imp

Details

Reviewers
melifaro
Group Reviewers
network
Commits
rGdae64402b3e8: rtsock: fix panic in rtsock_msg_buffer()
Summary

The rtsock_msg_buffer() can be called without walkarg, just to calculate
required length. It can also be called with a degenerate walkarg, that
doesn't have a w_req. The latter happens when the function is called from
update_rtm_from_info() for the second time.

Zero init walkarg in update_rtm_from_info() and don't pass random stack
garbage as w_req.

In rtsock_msg_buffer() initialize compat32 boolean only once and take of
possible empty w_req. Simplify the rest of code once compat32 is already
set.

Reported-by: syzbot+d4a2682059e23179e76e@syzkaller.appspotmail.com
Reported-by: syzbot+66d7c9b3062e27a56f3f@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
net/
35 lines

Diff 146658

View Options

sys/net/rtsock.c

Loading...