From owner-freebsd-bugs Thu Dec 12 00:40:07 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA29934 for bugs-outgoing; Thu, 12 Dec 1996 00:40:07 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA29922; Thu, 12 Dec 1996 00:40:05 -0800 (PST) Resent-Date: Thu, 12 Dec 1996 00:40:05 -0800 (PST) Resent-Message-Id: <199612120840.AAA29922@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, davidn@blaze.net.au Received: from nserver.blaze.net.au ([203.17.53.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA29807 for ; Thu, 12 Dec 1996 00:39:14 -0800 (PST) Received: (from davidn@localhost) by nserver.blaze.net.au (8.8.4/8.6.9) id TAA02811; Thu, 12 Dec 1996 19:39:00 +1100 (EST) Message-Id: <199612120839.TAA02811@nserver.blaze.net.au> Date: Thu, 12 Dec 1996 19:39:00 +1100 (EST) From: davidn@blaze.net.au Reply-To: davidn@blaze.net.au To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2196: Bug in src/libc/gen/getttyent.c, use of freed memory Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2196 >Category: bin >Synopsis: Bug in src/libc/gen/getttyent.c, use of freed memory >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 12 00:40:03 PST 1996 >Last-Modified: >Originator: David Nugent - davidn@blaze.net.au >Organization: Unique Computing, Melbourne, Australia >Release: FreeBSD 3.0-CURRENT i386 >Environment: Any FreeBSD system, most obvious with phkmalloc and /etc/malloc.conf -> AJ. Not obvious otherwise since freed memory will not be overwritten. This fix should go into the 2.2 tree as well as -current since the problem is present there too. >Description: src/lib/libc/gen/getttyent.c endttyent() frees memory which is referenced by a pointer returned by getttynam(), so the call basically returns garbage if malloc() is configured to overwrite freed memory. >How-To-Repeat: Running mgetty+sendfax, no term set by mgetty, login calls getttynam() to retrieve the term type for the current tty, but gets back garbage of malloc "junk fill" feature is enabled. Basically, getttynam() does not work and is buggy. >Fix: Don't free memory in endttyent(). Not really tidy, but there's no other simple solution other than requiring the application to call endttyent() instead of calling it in getttynam() [which would be inconsistent behaviour for get*nam() style routines]. The patch below #defines away the memory free in endttyent(). This will not result in rampant memory leak since this memory is reused if needed by subsequent calls into the *ttyent routines. --- getttyent.c.orig Tue Oct 22 09:56:23 1996 +++ getttyent.c Thu Dec 12 19:27:30 1996 @@ -207,11 +207,17 @@ { int rval; +#if 0 + /* + * Can't free this because getttynam() + * may still be referencing it + */ if (line) { free(line); line = NULL; lbsize = 0; } +#endif if (tf) { rval = (fclose(tf) != EOF); tf = NULL; >Audit-Trail: >Unformatted: