From owner-freebsd-bugs  Sun Aug  2 04:20:12 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA02098
          for freebsd-bugs-outgoing; Sun, 2 Aug 1998 04:20:12 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA02032
          for <freebsd-bugs@FreeBSD.org>; Sun, 2 Aug 1998 04:20:02 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id EAA26283;
	Sun, 2 Aug 1998 04:20:01 -0700 (PDT)
Received: from tim.xenologics.com (tim.xenologics.com [194.77.5.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA01809
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 2 Aug 1998 04:18:17 -0700 (PDT)
          (envelope-from seggers@semyam.dinoco.de)
Received: (from uucp@localhost)
	by tim.xenologics.com (8.8.5/8.8.8) with UUCP id NAA27738
	for FreeBSD-gnats-submit@freebsd.org; Sun, 2 Aug 1998 13:14:20 +0200 (MET DST)
Received: (from seggers@localhost)
	by semyam.dinoco.de (8.8.8/8.8.8) id NAA02076;
	Sun, 2 Aug 1998 13:12:18 +0200 (CEST)
	(envelope-from seggers)
Message-Id: <199808021112.NAA02076@semyam.dinoco.de>
Date: Sun, 2 Aug 1998 13:12:18 +0200 (CEST)
From: Stefan Eggers <seggers@semyam.dinoco.de>
Reply-To: seggers@semyam.dinoco.de
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: seggers@semyam.dinoco.de
X-Send-Pr-Version: 3.2
Subject: bin/7469: ppp uses freed memory on quit from prompt
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7469
>Category:       bin
>Synopsis:       ppp uses freed memory on quit from prompt
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug  2 04:20:00 PDT 1998
>Last-Modified:
>Originator:     Stefan Eggers
>Organization:
none
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	-current system cvsup'ed on Friday, PPP source updated to the
most current from a few minutes ago to see if the bug is fixed there.

>Description:

	I start ppp with "ppp xnc" where xnc is the label I gave my
provider's entry in /etc/ppp/ppp.conf.  Not doing anything else at the
prompt I quit it.  Core dump.

	This is with /etc/malloc.conf set to AJ.  A very useful
setting I turned on just a few minutes ago.  ;-)

>How-To-Repeat:

	Set /etc/malloc.conf to AJ (which means make a soft link named
/etc/malloc.conf pointing to AJ; see malloc(3)) and then try the above
mentioned sequence with ppp.

>Fix:
	
	I looked around for a cause and after some reading of the
source I found out that on a "quit" command the promptlist entry which
is associated with the command line gets unregistered and deallocated.
This causes the promptlist in log.c to change.

	The problem is that the loop you see below gets from one entry
on the list to the next.  When it gets to the one for the command line
the call to descriptor_Read() will process the "quit" command.  This
in turn will deallocate the entry p is pointing to.  Now trying to get
to the next entry is an illegal operation which just works because no
other function overwrote the already free memory.

	The most general solution would be to restart the whole loop
after calling descriptor_Read(), i.e. do a "p = log_PromptList();
continue;" at that point.  This will prevent similar problems with
other callbacks which might changewith promptlist.

	I didn't fix it this way because I don't know what implica-
tions this might have on other parts of the program.

	Thus I fixed it this way which works for me:

Index: server.c
===================================================================
RCS file: /usr2/FreeBSD/CVSROOT/src/usr.sbin/ppp/server.c,v
retrieving revision 1.22
diff -u -r1.22 server.c
--- server.c	1998/06/27 14:18:10	1.22
+++ server.c	1998/08/02 10:52:18
@@ -95,7 +95,7 @@
   struct sockaddr *sa = (struct sockaddr *)hisaddr;
   struct sockaddr_in *in = (struct sockaddr_in *)hisaddr;
   int ssize = ADDRSZ, wfd;
-  struct prompt *p;
+  struct prompt *p, *pnxt;
 
   if (s->fd >= 0 && FD_ISSET(s->fd, fdset)) {
     wfd = accept(s->fd, sa, &ssize);
@@ -152,9 +152,12 @@
     }
   }
 
-  for (p = log_PromptList(); p; p = p->next)
+  for (p = log_PromptList(); p; p = pnxt)
+  {
+    pnxt = p->next;
     if (descriptor_IsSet(&p->desc, fdset))
       descriptor_Read(&p->desc, bundle, fdset);
+  }
 }
 
 static int

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message