Prevent IOC_IN with zero size argument (this is only supported

if backward copatibility options are present) from attempting to free memory that wasn't allocated. This is an old bug, and previously it would attempt to free a null pointer. I noticed this bug when working on the previous revision, but forgot to fix it. Security: local DoS Reported by: Peter Holm MFC after: 3 days
svn path=/head/; revision=163355
2006-10-14 19:01:55 +00:00 · 2006-10-14 19:01:55 +00:00 · a1b0a18096 · 2020-12-20 02:59:44 +00:00
commit a1b0a18096
parent c263eae028
1 changed files with 2 additions and 1 deletions
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@ -565,7 +565,8 @@ ioctl(struct thread *td, struct ioctl_args *uap)
 	if (com & IOC_IN) {
 		error = copyin(uap->data, data, (u_int)size);
 		if (error) {
-			free(data, M_IOCTLOPS);
+			if (size > 0)
+				free(data, M_IOCTLOPS);
 			return (error);
 		}
 	} else if (com & IOC_OUT) {