Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Aug 2003 00:57:17 +0900
From:      qhwt@myrealbox.com
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        qhwt@myrealbox.com
Subject:   ports/55472: net/wide-dhcp dumps core on free()
Message-ID:  <20030811155717.GA20308@myrealbox.com>
Resent-Message-ID: <200308111600.h7BG0XmR068642@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         55472
>Category:       ports
>Synopsis:       net/wide-dhcp dumps core on free()
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 11 09:00:33 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     qhwt@myrealbox.com
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD qmr.here 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Fri Aug 8 12:07:56 JST 2003 freebsd@qmr.here:/usr/obj/home/source/freebsd/src/sys/QMR_ULE i386


	
>Description:
	
dhcps in net/wide-dhcp dumps core trying to parse binding database upon
startup. The core dump occurs in function read_subnet() defined in
file server/database.c, trying to free() a line buffer via a pointer
already modified inside prs_inaddr() called from get_ip() called from
read_subnet().

>How-To-Repeat:
	

 Make sure at least one valid line containing a dotted-decimal IP address
is in the binding database, and start dhcps.

 #/usr/local/etc/rc.d/wide-dhcps.sh start
 (start a DHCP client and acquire a lease)
 #/usr/local/etc/rc.d/wide-dhcps.sh stop
 #/usr/local/etc/rc.d/wide-dhcps.sh start

>Fix:

	

Apply the following patch. By the way, I've tried to report the bug to
dhcp-dist@wide.ad.jp (found in both source code and documentation),
but it bounced back to me.

--- database.c.orig	Fri Jan  1 22:35:33 1999
+++ database.c	Sun Aug  3 19:55:32 2003
@@ -560,15 +560,15 @@
   char **cp;
   struct in_addr *subnet;
 {
-  char *tmpstr;
+  char *tmpstr, *line;
   struct in_addr *tmpaddr;
 
-  if ((tmpstr = get_string(cp)) == NULL) {
+  if ((line = get_string(cp)) == NULL) {
     errno = 0;
     syslog(LOG_WARNING, "Can't get strings");
     return(-1);
   }
-
+  tmpstr = line;
   if ((tmpaddr = get_ip(&tmpstr)) == NULL) {
     errno = 0;
     syslog(LOG_WARNING, "get_ip() error in read_subnet()");
@@ -576,7 +576,7 @@
   }
 
   *subnet = *tmpaddr;
-  free(tmpstr);
+  free(line);
   free(tmpaddr);
 
   return(0);
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030811155717.GA20308>