Actions
Bug #2009
closedPOSIX message queue malloc zone overflow
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
#include <sys/types.h>
#include <mqueue.h>
int main() {
int i;
static struct mq_attr attr;
attr.mq_maxmsg=31;
attr.mq_msgsize=128;
char nam300 = {};
int pidr;
for (i = 0; i < 128; i++) {
pidr = fork();
if(pidr == 0)
goto co;
}
co:
for (i = 0; i < 900; i++) {
sprintf(nam, "%d-%228d", i,getpid());
mq_unlink(nam);
if (mq_open(nam, O_RDWR|O_CREAT|O_EXCL, 0777, &attr) == -1)
break;
}
pause();
}
-------------------
The above program will hit a panic on a malloc zone overflow in sys_mqueue.c.
Updated by vsrinivas almost 14 years ago
I believe this is fixed by:
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d3a2b23d59a91627b09e142cb10ca0ac9255bef2
Actions