https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985
--- Comment #3 from CTurt <ct...@hardenedbsd.org> --- Thanks for your response. I firmly believe any `malloc` with an unchecked size from userland to absolutely be a bug. As demonstrated by my PoC code, when accessible, this can be used to at minimum panic a system. Even when accessible to root only, having a bug like this present makes the system slightly less stable, no matter how rarely it may occur. It shouldn't really matter what requirements the function has; it is always better to fix it to eliminate the possibility of this becoming critical in the future if the code were ever to be altered. For example, you mention having interest in altering this code in the future such that under a rare circumstance, it would be accessible with normal user privileges. My original patch set an arbitrary upper limit, which may not be appropriate. However, if this limit is either increased or changed to be variable, I would suggest removing the `M_WAITOK` flag and returning an error for when the call fails instead. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
