DragonFly bugs List (threaded) for 2011-03
[
Date Prev][
Date Next]
[Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
[issue2009] POSIX message queue malloc zone overflow
New submission from Venkatesh Srinivas <vsrinivas@dragonflybsd.org>:
#include <sys/types.h>
#include <mqueue.h>
int main() {
int i;
static struct mq_attr attr;
attr.mq_maxmsg=31;
attr.mq_msgsize=128;
char nam[300] = {};
int pidr;
for (i = 0; i < 128; i++) {
pidr = fork();
if(pidr == 0)
goto co;
}
co:
for (i = 0; i < 900; i++) {
sprintf(nam, "%d-%228d", i,getpid());
mq_unlink(nam);
if (mq_open(nam, O_RDWR|O_CREAT|O_EXCL, 0777, &attr) == -1)
break;
}
pause();
}
-------------------
The above program will hit a panic on a malloc zone overflow in sys_mqueue.c.
----------
messages: 9667
nosy: vsrinivas
status: unread
title: POSIX message queue malloc zone overflow
_____________________________________________________
DragonFly issue tracker <bugs@lists.dragonflybsd.org>
<http://bugs.dragonflybsd.org/issue2009>
_____________________________________________________
[
Date Prev][
Date Next]
[Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
