From owner-freebsd-bugs@FreeBSD.ORG  Sat Apr  3 01:50:14 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DB82116A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  3 Apr 2004 01:50:14 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D382D43D54
	for <freebsd-bugs@hub.freebsd.org>;
	Sat,  3 Apr 2004 01:50:14 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i339oEbv061271	for <freebsd-bugs@freefall.freebsd.org>;
	Sat, 3 Apr 2004 01:50:14 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i339oENP061270;
	Sat, 3 Apr 2004 01:50:14 -0800 (PST)
	(envelope-from gnats)
Date: Sat, 3 Apr 2004 01:50:14 -0800 (PST)
Message-Id: <200404030950.i339oENP061270@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: David Schultz <das@FreeBSD.ORG>
Subject: Re: kern/64983: regfree() crasher
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: David Schultz <das@FreeBSD.ORG>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Apr 2004 09:50:15 -0000

The following reply was made to PR kern/64983; it has been noted by GNATS.

From: David Schultz <das@FreeBSD.ORG>
To: Balazs Nagy <js@iksz.hu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/64983: regfree() crasher
Date: Sat, 3 Apr 2004 01:45:12 -0800

 On Wed, Mar 31, 2004, Balazs Nagy wrote:
 > regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
 > invalid pointer, the application crashes.
 [...]
 > My problem originated with apache2, which dumps core multiple times.  I
 > recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:
 [...]
 > --- lib/libc/regex/regfree.c.orig	Fri Mar 22 22:52:47 2002
 > +++ lib/libc/regex/regfree.c	Wed Mar 31 11:01:00 2004
 > @@ -62,6 +62,8 @@
 >  {
 >  	struct re_guts *g;
 >  
 > +	if (!preg)
 > +		return;
 >  	if (preg->re_magic != MAGIC1)	/* oops */
 >  		return;			/* nice to complain, but hard */
 
 The result of regfree() on an invalid pointer is undefined, so
 your problem looks like a bug in Apache.
 
 It isn't clear what regfree() should do, in general, when it
 detects a bug.  Right now, it silently returns when it notices
 some types of corruption.  Arguably it should abort so such bugs
 can be caught, but changing it now could break applications that
 (wrongly) depend on the behaviour.  You are suggesting the
 opposite, namely, that regfree() should try harder to hide
 application bugs from the programmer...