From randy@sierra.zyzzyva.com  Mon Dec 16 20:39:36 1996
Received: from sierra.zyzzyva.com (ppp0.zyzzyva.com [198.183.2.50])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA26306
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 Dec 1996 20:39:34 -0800 (PST)
Received: (from randy@localhost) by sierra.zyzzyva.com (8.8.4/8.8.2) id WAA06974; Mon, 16 Dec 1996 22:39:55 -0600 (CST)
Message-Id: <199612170439.WAA06974@sierra.zyzzyva.com>
Date: Mon, 16 Dec 1996 22:39:55 -0600 (CST)
From: randy@zyzzyva.com
Reply-To: randy@zyzzyva.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: SEGV in sysctl for version 2.2
X-Send-Pr-Version: 3.2

>Number:         2230
>Category:       kern
>Synopsis:       SEGV in sysctl
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 16 20:40:01 PST 1996
>Closed-Date:    Sun Mar 2 13:36:44 PST 1997
>Last-Modified:  Sun Mar  2 13:37:12 PST 1997
>Originator:     Randy Terbush
>Release:        FreeBSD 2.2-RELEASE i386
>Organization:
Zyzzyva Enterprises
>Environment:

	2.2-RELEASE supped 6:00amCST 16/12/96
	P5-133
	64MB RAM

	The following kernel variables have been "tweaked".

	maxusers        256
	options         NMBCLUSTERS=4096
	options         DFLDSIZ=33554432
	options         DFLSSIZ=1048576
	options         CHILD_MAX=1536
	options         OPEN_MAX=1536
	options         "FD_SETSIZE=1024"

>Description:

	'sysctl kern' dumps core

>How-To-Repeat:

	(gdb) r kern
Starting program: /usr/obj/nfs/zwww1/var/src/usr.sbin/sysctl/sysctl kern
kern.ostype: FreeBSD
kern.osrelease: 2.2-RELEASE
kern.osrevision: 199506
kern.version: FreeBSD 2.2-RELEASE #1: Sat Dec 14 11:50:01 CST 1996
    kroot@sierra:/nfs/zwww1/var/src/sys/compile/SIERRA

kern.maxvnodes: 7881
kern.maxproc: 4116
kern.maxfiles: 8232
kern.argmax: 65536
kern.securelevel: -1
kern.hostname: sierra
kern.hostid: 0
kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 }

Program received signal SIGSEGV, Segmentation fault.
show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:349
349             i = sysctl(oid, nlen, val, &len, 0, 0);
(gdb) bt
#0  show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:349
#1  0x2807 in sysctl_all (oid=0xefbfdc1c, len=1)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:456
#2  0x1b38 in parse (string=0xefbfdd26 "kern")
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:154
#3  0x189b in main (argc=0, argv=0xefbfdcac)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:107
(gdb) l
344             i = sysctl(oid, nlen, 0, &j, 0, 0);
345             j += j; /* we want to be sure :-) */
346
347             val = alloca(j);
348             len = j;
349             i = sysctl(oid, nlen, val, &len, 0, 0);
350             if (i || !len)
351                     return (1);
352
353             if (bflag) {
(gdb) 

After several calls to this piece of code, alloca() allocates a
bogus address which is not being checked for here.

Breakpoint 1, show_var (oid=0xefbfd750, nlen=2)
    at /nfs/zwww1/var/src/usr.sbin/sysctl/sysctl.c:345
345             j += j; /* we want to be sure :-) */
(gdb) s
347             val = alloca(j);
(gdb) 
348             len = j;
(gdb) p val
$20 = (
    unsigned char *) 0xefa3df98 <Error reading address 0xefa3df98: Invalid argument>
(gdb) 


>Fix:
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Sun Mar 2 13:36:44 PST 1997 
State-Changed-Why:  
The originator says that this has ben fixed in 2.2-GAMMA. 
>Unformatted:
