https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207627
--- Comment #2 from rday <r...@ryanday.net> --- Comment on attachment 172594 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=172594 Proposed patch for #207627 After looking over the code I wanted to propose a patch to fix this problem. If the name length or value length was 0, a negative array index would occur while checking for a NUL terminator. This patch adds a check preventing a 0 name length or value length. Since the length of value shouldn't be negative, this patch changes the type of namelen and vallen to unsigned. If memory couldn't be allocated for the argument name or value, the bailout path would attempt to free() a null pointer. This patch adds a check to prevent that from happening. I also updated some comments detailing which values need a nul termination. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"