[Bug 274614] Issues with retry loop in pfctl_do_ioctl()

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274614] Issues with retry loop in pfctl_do_ioctl()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 Oct 2023 16:57:55 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274614

            Bug ID: 274614
           Summary: Issues with retry loop in pfctl_do_ioctl()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: nreilly@blackberry.com

The retry loop in pfctl_do_ioctl() is problematic.

"data" is allocated outside the loop vi nvlist_pack() and then freed inside on
the first time through. If ENOSPC is returned from the ioctl() then it goes to
the retry and will now attempt to memcpy() the previously freed data before
freeing it again.

There was a recent fix just before the retry loop
https://cgit.freebsd.org/src/commit/lib/libpfctl/libpfctl.c?id=6422599e74db4bb8b47cead46760d96601d8396a
without that there are even more problems where the memcpy() of nvlen could be
greater than the malloc() of size. This fix means that simply moving the retry
label up above the nvlist_pack() will not work as that would then undo the
increasing of size on the retry.

-- 
You are receiving this mail because:
You are the assignee for the bug.