From owner-freebsd-bugs  Thu Jul  2 14:21:18 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA11356
          for freebsd-bugs-outgoing; Thu, 2 Jul 1998 14:21:18 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11349
          for <freebsd-bugs@FreeBSD.org>; Thu, 2 Jul 1998 14:21:16 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id OAA21580;
	Thu, 2 Jul 1998 14:20:01 -0700 (PDT)
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA10892;
          Thu, 2 Jul 1998 14:16:36 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199807022116.OAA10892@hub.freebsd.org>
Date: Thu, 2 Jul 1998 14:16:36 -0700 (PDT)
From: kmayer@freegate.com
To: freebsd-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: www-1.0
Subject: bin/7148: in libc/gen/fts.c:fts_close, free is called before pointer access
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7148
>Category:       bin
>Synopsis:       in libc/gen/fts.c:fts_close, free is called before pointer access
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul  2 14:20:00 PDT 1998
>Last-Modified:
>Originator:     Ken Mayer
>Organization:
FreeGate Corp
>Release:        2.2.6
>Environment:
>Description:
fts_close calls free(sp), the ISSET(FTS_NOCHDIR) which is a macro that 
references sp. The free needs to follow ISSET
>How-To-Repeat:

>Fix:
Here's a patch:

diff -c fts.c.orig fts.c
*** fts.c.orig  Thu Jul  2 14:11:24 1998
--- fts.c       Thu Jul  2 14:15:32 1998
***************
*** 212,218 ****
        FTS *sp;
  {
        register FTSENT *freep, *p;
!       int saved_errno;
  
        /*
         * This still works if we haven't read anything -- the dummy structure
--- 212,218 ----
        FTS *sp;
  {
        register FTSENT *freep, *p;
!       int saved_errno,i;
  
        /*
         * This still works if we haven't read anything -- the dummy structure
***************
*** 241,255 ****
                (void)close(sp->fts_rfd);
        }
  
-       /* Free up the stream pointer. */
-       free(sp);
- 
        /* Set errno and return. */
        if (!ISSET(FTS_NOCHDIR) && saved_errno) {
                errno = saved_errno;
!               return (-1);
        }
!       return (0);
  }
  
  /*
--- 241,258 ----
                (void)close(sp->fts_rfd);
        }
  
        /* Set errno and return. */
        if (!ISSET(FTS_NOCHDIR) && saved_errno) {
                errno = saved_errno;
!               i = -1;
!       } else {
!               i = 0;
        }
! 
!       /* Free up the stream pointer. */
!       free(sp);
! 
!       return i;
  }
  
  /*
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message