Page MenuHomeFreeBSD
Differential D47662

rtsock: fix panic in rtsock_msg_buffer()
ClosedPublic
Actions

Authored by glebius on Nov 18 2024, 8:19 PM.
Tags
None
Referenced Files
F147487998: D47662.id146658.diff
Wed, Mar 11, 9:24 AM
F147487233: D47662.id.diff
Wed, Mar 11, 9:17 AM
F147469440: D47662.id146658.diff
Wed, Mar 11, 6:27 AM
F147466921: D47662.id.diff
Wed, Mar 11, 6:05 AM
Unknown Object (File)
Mon, Mar 9, 3:29 PM
Unknown Object (File)
Wed, Mar 4, 9:16 AM
Unknown Object (File)
Tue, Mar 3, 5:59 PM
Unknown Object (File)
Tue, Mar 3, 5:59 PM
View All 79 Files
Subscribers
ae
imp

Details

Reviewers
melifaro
Group Reviewers
network
Commits
rGdae64402b3e8: rtsock: fix panic in rtsock_msg_buffer()
Summary

The rtsock_msg_buffer() can be called without walkarg, just to calculate
required length. It can also be called with a degenerate walkarg, that
doesn't have a w_req. The latter happens when the function is called from
update_rtm_from_info() for the second time.

Zero init walkarg in update_rtm_from_info() and don't pass random stack
garbage as w_req.

In rtsock_msg_buffer() initialize compat32 boolean only once and take of
possible empty w_req. Simplify the rest of code once compat32 is already
set.

Reported-by: syzbot+d4a2682059e23179e76e@syzkaller.appspotmail.com
Reported-by: syzbot+66d7c9b3062e27a56f3f@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
sys/
net/
35 lines

Diff 146658

View Options

sys/net/rtsock.c

Loading...