NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/43837: _cpuset_create has uninitialized size argument for call to sysctl

>Number:         43837
>Category:       lib
>Synopsis:       _cpuset_create has uninitialized size argument for call to 
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 03 19:20:00 +0000 2010
>Originator:     Sandy Snaman
>Release:        V5.0.2
src/common/lib/libc/sys/cpuset.c uses an uninitialized variable (&len below) to 
pass in the size of the output buffer for a call to sysctl.  

if (sysctl(mib, __arraycount(mib), &nc, >>> &len <<<<, NULL, 0)

When the 3rd arg (*oldp) is not null, the 4th arg (size_t*oldlenp) should point 
to the size of the buffer before the call is made.  

Depending on what is on the stack at the time of the call, this call may 
succeed or fail because the value of len was not initialized.

--- common/lib/libc/sys/cpuset.c        (revision 136179)
+++ common/lib/libc/sys/cpuset.c        (working copy)
@@ -138,8 +138,8 @@
        if (cpuset_size == 0) {
                static int mib[2] = { CTL_HW, HW_NCPU };
-               size_t len;
                u_int nc;
+               size_t len = sizeof(nc);

                if (sysctl(mib, __arraycount(mib), &nc, &len, NULL, 0) == -1)
                        return NULL;

Home | Main Index | Thread Index | Old Index