From owner-freebsd-ports-bugs@FreeBSD.ORG  Wed Sep  3 21:10:01 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EF2ED1065673
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  3 Sep 2008 21:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id CD05D8FC14
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  3 Sep 2008 21:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m83LA1pq052329
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Wed, 3 Sep 2008 21:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m83LA18t052328;
	Wed, 3 Sep 2008 21:10:01 GMT (envelope-from gnats)
Resent-Date: Wed, 3 Sep 2008 21:10:01 GMT
Resent-Message-Id: <200809032110.m83LA18t052328@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jeff Blank <jfb@mr-happy.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 465601065672
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  3 Sep 2008 21:01:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 360F68FC36
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  3 Sep 2008 21:01:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m83L1pIS011668
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 3 Sep 2008 21:01:51 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m83L1piE011666;
	Wed, 3 Sep 2008 21:01:51 GMT (envelope-from nobody)
Message-Id: <200809032101.m83L1piE011666@www.freebsd.org>
Date: Wed, 3 Sep 2008 21:01:51 GMT
From: Jeff Blank <jfb@mr-happy.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: ports/127075: comms/qpage segmentation fault due to freeing
	already-freed memory
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2008 21:10:02 -0000


>Number:         127075
>Category:       ports
>Synopsis:       comms/qpage segmentation fault due to freeing already-freed memory
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 03 21:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Blank
>Release:        FreeBSD 7.0-RELEASE
>Organization:
>Environment:
FreeBSD zorak.tc.mtu.edu 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #0: Mon Jul 14 17:18:38 EDT 2008     root@zorak.tc.mtu.edu:/usr/obj/usr/src/sys/ULE_POLLING  i386

>Description:
When qpage in daemon mode receives a SIGHUP, it frees malloc-ed memory before rereading its configuration file. The problem occurs on line 1410 of config.c, where a pointer to a service declaration is freed. The memory at that address is not a separate allocation for each PAGER struct, and furthermore, the entire service list has been freed by the time free_pagers() is called. Calling free() on a pointer that points to unallocated memory appears to cause a segmentation fault.
>How-To-Repeat:
Build and install ports/qpage. No tunables are present in the Makefile. Install a working qpage.cf in /usr/local/etc (perhaps just using the qpage-example.cf provided). It is not necessary to have a modem available as long as the configuration file can be edited to reference an existing /dev/cua* device that is not otherwise in use ("modem=/dev/XXX" in qpage.cf). Execute '/usr/local/etc/rc.d/qpage.sh start'. At this point, there should be one qpage process running. Send the process a SIGHUP, wait a moment, and send another SIGHUP. qpage will have exited with a segmentation fault (logged to /var/log/messages by a standard FreeBSD configuration).
>Fix:
attached patch

Patch attached with submission follows:

--- config.c.orig	Fri Jan  1 22:14:50 1999
+++ config.c	Wed May  4 16:28:49 2005
@@ -1407,7 +1407,6 @@
 		my_free(list->name);
 		my_free(list->text);
 		my_free(list->pagerid);
-		my_free(list->service);
 		free(list);
 	}
 }


>Release-Note:
>Audit-Trail:
>Unformatted: