From owner-freebsd-bugs  Fri Aug  9 22:10:11 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C0DA37B400
	for <freebsd-bugs@hub.freebsd.org>; Fri,  9 Aug 2002 22:10:02 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EA5D743E77
	for <freebsd-bugs@hub.freebsd.org>; Fri,  9 Aug 2002 22:10:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7A5A1JU053356
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 9 Aug 2002 22:10:01 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7A5A1ic053355;
	Fri, 9 Aug 2002 22:10:01 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F01DE37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  9 Aug 2002 22:02:49 -0700 (PDT)
Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 77BC443E65
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  9 Aug 2002 22:02:49 -0700 (PDT)
	(envelope-from dhagan@cowpie.acm.vt.edu)
Received: from cowpie.acm.vt.edu (yo_momma@localhost [127.0.0.1])
	by cowpie.acm.vt.edu (8.12.3/8.12.3) with ESMTP id g7A52mYj013976;
	Sat, 10 Aug 2002 01:02:48 -0400 (EDT)
	(envelope-from dhagan@cowpie.acm.vt.edu)
Received: (from dhagan@localhost)
	by cowpie.acm.vt.edu (8.12.3/8.12.3/Submit) id g7A52mwM013975;
	Sat, 10 Aug 2002 01:02:48 -0400 (EDT)
Message-Id: <200208100502.g7A52mwM013975@cowpie.acm.vt.edu>
Date: Sat, 10 Aug 2002 01:02:48 -0400 (EDT)
From: Daniel Hagan <dhagan@acm.vt.edu>
Reply-To: Daniel Hagan <dhagan@acm.vt.edu>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: mheffner@acm.vt.edu
X-Send-Pr-Version: 3.113
Subject: bin/41511: [PATCH] watch.c case statement fall-through
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         41511
>Category:       bin
>Synopsis:       [PATCH] watch.c case statement fall-through
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 09 22:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Hagan
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
Va Tech ACM
>Environment:
System: FreeBSD ansible.private.kickidle.net 4.6-STABLE FreeBSD 4.6-STABLE #1: Fri Aug  9 23:15:34 EDT 2002     root@ansible.private.kickidle.net:/usr/src/sys/compile/ANSIBLE  i386


>Description:

	When running watch ('watch -W ttyv0', for example), and the tty closes,
watch will ask what tty to reconnect.  Pressing enter (accepting the supplied
default of reopenning the current tty) results in watch dying from a failed 
malloc.

	In watch.c:409, there are no break statements in the cases.  When 
ioctl() returns SNP_TTYCLOSE (-2) in idata, the case falls-through to the
default case after the TTYCLOSE is processed.  idata is cast into an unsigned
variable, resulting in a call to malloc requesting 4294967294 bytes of memory
(on i386 platform).  This, obviously, fails.

>How-To-Repeat:

	Compile a kernel w/ psuedo-device snp support.  MAKEDEV snp0.  On a 
terminal besides ttyv0, execute `watch -W ttyv0`.  Login, then logout to force
the tty to close.  When prompted for the name of the tty to reopen, press 
Enter.  Watch should fail w/ the message "watch: fatal: malloc failed".

>Fix:

	I have performed MINIMAL testing on the following change, and it 
fixed my problem without introducing obvious problems.  I didn't rigorously 
test watch w/ this change in place though.

Apply following diff to /usr/src/usr.sbin/watch.c.

begin 600 watch.c.diff
M+2TM('=A=&-H+F,N;W)I9PE3870@075G(#$P(#`P.C0W.C$S(#(P,#(**RLK
M('=A=&-H+F,)4V%T($%U9R`Q,"`P,#HT-SHT-2`R,#`R"D!`("TT,34L-B`K
M-#$U+#<@0$`*(`D)"0ES971?9&5V*&1E=E]N86UE*3L*(`D)"7T@96QS90H@
M"0D)"6-L96%N=7`H+3$I.PHK"0D)8G)E86L["B`)"6-A<V4@4TY07T1%5$%#
M2#H*(`D)8V%S92!33E!?5%190TQ/4T4Z"B`)"0EI9B`H;W!T7W)E8V]N;E]C
M;&]S92D*0$`@+30R-"PV("LT,C4L-R!`0`H@"0D)"7-E=%]D978H9&5V7VYA
M;64I.PH@"0D)?2!E;'-E"B`)"0D)8VQE86YU<"@M,2D["BL)"0EB<F5A:SL*
M(`D)9&5F875L=#H*(`D)"6YR96%D(#T@*'5N<VEG;F5D*6ED871A.PH@"0D)
M:68@*&YR96%D(#P@*&)?<VEZ92`O(#(I("8F("AB7W-I>F4@+R`R*2`^($U)
*3E]325I%*2!["@``
`
end


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message