Date: Tue, 13 Jan 2015 20:58:07 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 172675] [netinet] [patch] sysctl_tcp_hc_list (net.inet.tcp.hostcache.list) race condition causing memory corruption Message-ID: <bug-172675-2472-A8S9hRgmTh@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-172675-2472@https.bugs.freebsd.org/bugzilla/> References: <bug-172675-2472@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=172675 John Baldwin <jhb@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jhb@FreeBSD.org --- Comment #6 from John Baldwin <jhb@FreeBSD.org> --- Created attachment 151584 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151584&action=edit sbuf_hc_list.patch It is true that cache_count updates are very racy, and it might be worth fixing them to be atomic. However, those would not prevent the corruption. If the cache grew during the sysctl even with the atomic ops you could still overflow the buffer. I started out by adding explicit checks of 'p - buf >= bufsize' to break out of the loop. However, the sbuf(9) API already provides a nice way to handle variable output into a fixed size buffer while handling overflow correctly, etc. I've attached a patch which takes this route and converts the sysctl to use an sbuf instead. Please test. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-172675-2472-A8S9hRgmTh>