[Bug 281483] [librt] timer_delete segfaults with incorrect timer id

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281483] [librt] timer_delete segfaults with incorrect timer id"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 281483] [librt] timer_delete segfaults with incorrect timer id"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 13 Sep 2024 15:06:53 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281483

            Bug ID: 281483
           Summary: [librt] timer_delete segfaults with incorrect timer id
           Product: Base System
           Version: 14.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: luc.techer64@gmail.com

Calling timer_delete from librt with an uninitialised timer id causes a
segmentation fault.

As I understand it, "timer_t" is a typedef for "struct __timer *", so calling 
"timer_delete(0);" should be equivalent to calling timer_delete(NULL). In the
timer_delete implementation, there is no NULL check prior to dereferencing the
provided timer id causing a segmentation fault. This also causes timer_delete
to segfault when called twice with the same timer id.

It would be more in line with the documentation to return -1 and set errno to
EINVAL in these cases. Invalid values for timer id other than NULL cannot be
checked with the current implementation, maybe an API rework would be necessary
to fix this ?

-- 
You are receiving this mail because:
You are the assignee for the bug.