From hselasky@c2i.net  Sun May  8 13:44:21 2005
Return-Path: <hselasky@c2i.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5253716A4E2
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  8 May 2005 13:44:21 +0000 (GMT)
Received: from swip.net (mailfe03.swip.net [212.247.154.65])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B8C3843D9B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  8 May 2005 13:44:20 +0000 (GMT)
	(envelope-from hselasky@c2i.net)
Received: from mp-217-229-50.daxnet.no ([193.217.229.50] verified)
  by mailfe03.swip.net (CommuniGate Pro SMTP 4.3c5)
  with ESMTP id 163444089 for FreeBSD-gnats-submit@freebsd.org; Sun, 08 May 2005 15:44:17 +0200
Message-Id: <200505081545.01840.hselasky@c2i.net>
Date: Sun, 8 May 2005 15:45:00 +0200
From: Hans Petter Selasky <hselasky@c2i.net>
Reply-To: hselasky@c2i.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: sysctl_handle_string should have a timeout

>Number:         80775
>Category:       kern
>Synopsis:       [kernel] [patch] sysctl_handle_string should have a timeout
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 08 13:50:02 GMT 2005
>Closed-Date:    
>Last-Modified:  Sun May 04 04:24:36 UTC 2014
>Originator:     HPS
>Release:        FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET 
2005 root@:/usr/obj/usr/src/sys/custom i386

>Description:

File: /sys/kern/kern_sysctl.c 

int
sysctl_handle_string(SYSCTL_HANDLER_ARGS)
{
        int error=0;
        char *tmparg;
        size_t outlen;

        /*
         * Attempt to get a coherent snapshot by copying to a
         * temporary kernel buffer.
         */
retry:
        outlen = strlen((char *)arg1)+1;
        tmparg = malloc(outlen, M_SYSCTLTMP, M_WAITOK);

        if (strlcpy(tmparg, (char *)arg1, outlen) >= outlen) {
                free(tmparg, M_SYSCTLTMP);
                goto retry;
        }

        error = SYSCTL_OUT(req, tmparg, outlen);
        free(tmparg, M_SYSCTLTMP);


When a device detaches strings can be left in freed memory, so 
"sysctl_handle_string" shouldn't try forever. Also the thread updating the 
string can sleep.

>How-To-Repeat:

>Fix:

Should have a timeout count and something like:

u_int8_t to = 255;

if(to--)
goto retry;
else return EINVAL;
>Release-Note:
>Audit-Trail:

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, hselasky@c2i.net
Cc:  
Subject: Re: kern/80775: sysctl_handle_string should have a timeout
Date: Wed, 12 Mar 2008 04:10:43 +0100

 This is a multi-part message in MIME format.
 --------------010200040307020300060705
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 Sounds reasonable. Following is an exact patch (for the completeness of
 this ticket).
 
 --------------010200040307020300060705
 Content-Type: text/x-patch;
  name="kern_sysctl.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="kern_sysctl.diff"
 
 --- sys/kern/kern_sysctl.c.orig	2008-03-12 04:03:09.000000000 +0100
 +++ sys/kern/kern_sysctl.c	2008-03-12 04:05:43.000000000 +0100
 @@ -929,6 +929,7 @@
  	int error=0;
  	char *tmparg;
  	size_t outlen;
 +	u_int8_t to = 255;
  
  	/*
  	 * Attempt to get a coherent snapshot by copying to a
 @@ -940,7 +941,10 @@
  
  	if (strlcpy(tmparg, (char *)arg1, outlen) >= outlen) {
  		free(tmparg, M_SYSCTLTMP);
 -		goto retry;
 +		if( to-- )
 +			goto retry;
 +		else
 +			return (EINVAL);
  	}
  
  	error = SYSCTL_OUT(req, tmparg, outlen);
 
 --------------010200040307020300060705--
>Unformatted:
