On Fri, Mar 24, 2017 at 10:42:38AM -0600, Alexander Bluhm wrote: > CVSROOT: /cvs > Module name: src > Changes by: bl...@cvs.openbsd.org 2017/03/24 10:42:38 > > Modified files: > sys/kern : subr_log.c > > Log message: > There was a race in dosendsyslog() which resulted in a crash. > sosend(syslogf->f_data, ...) could be called with a NULL pointer. > syslogf was not NULL, f_data was NULL and f_count was 1. The file > structure is ref counted, but the global variable syslogf is not > protected. So it may change during sleep and dosendsyslog() possibly > used a different socket at each access. Solution is to access > syslogf only once, use a local copy, and do the ref counting there. > OK millert@ deraadt@
and OK beck@
