From owner-freebsd-bugs Tue Oct 7 13:40:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA21475 for bugs-outgoing; Tue, 7 Oct 1997 13:40:09 -0700 (PDT) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA21458; Tue, 7 Oct 1997 13:40:02 -0700 (PDT) (envelope-from gnats) Resent-Date: Tue, 7 Oct 1997 13:40:02 -0700 (PDT) Resent-Message-Id: <199710072040.NAA21458@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, karl@mcs.net Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA21099 for ; Tue, 7 Oct 1997 13:35:31 -0700 (PDT) (envelope-from karl@Codebase.mcs.net) Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id PAA22851 for ; Tue, 7 Oct 1997 15:35:31 -0500 (CDT) Received: (from root@localhost) by Codebase.mcs.net (8.8.7/8.8.2) id PAA15733; Tue, 7 Oct 1997 15:35:30 -0500 (CDT) Message-Id: <199710072035.PAA15733@Codebase.mcs.net> Date: Tue, 7 Oct 1997 15:35:30 -0500 (CDT) From: karl@mcs.net Reply-To: karl@mcs.net To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: misc/4722: Serious bug in the libdes library (under secure) Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 4722 >Category: misc >Synopsis: enc_writ.c has a missing "static" declaration >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 7 13:40:00 PDT 1997 >Last-Modified: >Originator: Karl Denninger >Organization: MCSNet >Release: FreeBSD 3.0-CURRENT i386 >Environment: All 2.2 and later versions >Description: The module enc_writ.c in /usr/src/secure/lib/libdes is missing a "static" declaration for a buffer. This causes a buffer to be continually malloc(3)d on each invocation, eventually leading to memory exhaustion (it should only be malloc'd once) since the space is never free(3)d and the intent is to grab heap on start-up and keep it for the duration of the execution of the program. Alternatively, if you're unlucky and the stack area you're pointing to is not initialized to zeros on each call, you get random results which could be far worse and lead to segmentation violations or corrupted data. This code has not been touched in a LONG time; we knew of a problem quite some time ago, but weren't quite sure what was going on until recently when it became important to run down. >How-To-Repeat: Any code which calls des_enc_write() a sufficient number of times will eventually experience this problem. The symptom is that des_enc_write() will eventually return an error (-1) with errno set to 12 (ENOMEM). >Fix: Index: enc_writ.c =================================================================== RCS file: /usr/cvs/src/secure/lib/libdes/enc_writ.c,v retrieving revision 1.1.1.2 diff -r1.1.1.2 enc_writ.c 68c68 < char *outbuf=NULL; --- > static char *outbuf=NULL; >Audit-Trail: >Unformatted: