From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar 31 23:10:21 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E644016A423
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 31 Mar 2006 23:10:21 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9626743D58
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 31 Mar 2006 23:10:19 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2VNAJOV085731
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 31 Mar 2006 23:10:19 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2VNAJlo085730;
	Fri, 31 Mar 2006 23:10:19 GMT (envelope-from gnats)
Resent-Date: Fri, 31 Mar 2006 23:10:19 GMT
Resent-Message-Id: <200603312310.k2VNAJlo085730@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, jin@george.lbl.gov
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 10D6516A420
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 31 Mar 2006 23:04:46 +0000 (UTC)
	(envelope-from jin@portnoy.lbl.gov)
Received: from portnoy.lbl.gov (portnoy.lbl.gov [131.243.2.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1C3443D5A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 31 Mar 2006 23:04:44 +0000 (GMT)
	(envelope-from jin@portnoy.lbl.gov)
Received: from portnoy.lbl.gov (localhost [127.0.0.1])
	by portnoy.lbl.gov (8.13.6/8.13.6) with ESMTP id k2VN4iCg009796
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 31 Mar 2006 15:04:44 -0800 (PST)
Received: (from jin@localhost)
	by portnoy.lbl.gov (8.13.6/8.13.6/Submit) id k2VN4iNB009795;
	Fri, 31 Mar 2006 15:04:44 -0800 (PST)
Message-Id: <200603312304.k2VN4iNB009795@portnoy.lbl.gov>
Date: Fri, 31 Mar 2006 15:04:44 -0800 (PST)
From: Jin Guojun (DSD staff) <jin@george.lbl.gov>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/95175: bsdtar core dump on non-existing symlink
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: jin@george.lbl.gov
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2006 23:10:22 -0000


>Number:         95175
>Category:       bin
>Synopsis:       bsdtar core dump on non-existing symlink
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 31 23:10:19 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Jin Guojun (DSD staff)
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD 6.0-RELEASE FreeBSD 


	FreeBSD 6.0 and 6.1-BETA4
>Description:
	using command "tar -ch " to do archive. If there is empty
	(non existing) symlink, tar will coredump due to no NULL pointer
	checking.

>How-To-Repeat:
	cd /tmp
	mkdir test
	ln -s /mnt/onwhere test
	tar -chf /dev/null test
	coredump ...
>Fix:

	This happens in function write_hierarchy()
	in /usr/src/usr.bin/tar/write.c file:
        case 'L':
                /* 'L': Do descend through a symlink to dir. */
                /* 'L': Archive symlink to file as file. */
L 631           lst = tree_current_stat(tree);
                break;
        default:
 
...
 
L650    if (new_enough(bsdtar, name, lst)) {
                write_entry(bsdtar, a, lst, name,
                    tree_current_pathlen(tree),
                    tree_current_access_path(tree));
        }

-------------

Line 631 returns NULL to lst when the symlink points to non existing file
or directory. This is then passed to all codes at block start L650.
None of this routines check if the argument "lst" is NULL.
Eventually, it coredump in write_entry() function when *st (passed from lst)
is referenced.

lst must be checked before line 650 and proper branch needs to be taken
when lst is NULL (should be treated as regular symlink).
>Release-Note:
>Audit-Trail:
>Unformatted: