https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207627

--- Comment #2 from rday <r...@ryanday.net> ---
Comment on attachment 172594
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=172594
Proposed patch for #207627

After looking over the code I wanted to propose a patch to fix this problem.

If the name length or value length was 0, a negative array index would occur
while checking for a NUL terminator. This patch adds a check preventing a 0
name length or value length.

Since the length of value shouldn't be negative, this patch changes the type of
namelen and vallen to unsigned.

If memory couldn't be allocated for the argument name or value, the bailout
path would attempt to free() a null pointer. This patch adds a check to prevent
that from happening.

I also updated some comments detailing which values need a nul termination.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to