From b5a8b933d4994835e10226562ff8126298c96693 Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Wed, 10 Jun 2026 09:44:10 -0400 Subject: [PATCH] ppp: Don't fetch a non-existent variadic argument Only fetch the optional mode argument to ID0open to pass to open(2) if O_CREAT is present in the flags argument. It is UB to fetch an argument that doesn't exist. On CHERI this UB results in a fault. Reviewed by: brooks Obtained from: CheriBSD Sponsored by: AFRL, DARPA Differential Revision: https://reviews.freebsd.org/D57137 --- usr.sbin/ppp/id.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr.sbin/ppp/id.c b/usr.sbin/ppp/id.c index c7d512380af..35bd3f08c26 100644 --- a/usr.sbin/ppp/id.c +++ b/usr.sbin/ppp/id.c @@ -145,7 +145,10 @@ ID0open(const char *path, int flags, ...) va_start(ap, flags); ID0set0(); - ret = open(path, flags, va_arg(ap, int)); + if (flags & O_CREAT) + ret = open(path, flags, va_arg(ap, int)); + else + ret = open(path, flags); log_Printf(LogID0, "%d = open(\"%s\", %d)\n", ret, path, flags); ID0setuser(); va_end(ap);