From owner-freebsd-bugs  Wed Aug 27 22:00:02 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA07878
          for bugs-outgoing; Wed, 27 Aug 1997 22:00:02 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA07844;
          Wed, 27 Aug 1997 22:00:01 -0700 (PDT)
Resent-Date: Wed, 27 Aug 1997 22:00:01 -0700 (PDT)
Resent-Message-Id: <199708280500.WAA07844@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, cagney@tpgi.com.au
Received: from oberon.tpgi.com.au (root@oberon.tpgi.com.au [203.12.160.2])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA07471
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Aug 1997 21:52:02 -0700 (PDT)
Received: from b1.tpgi.com.au (mel-ppp-083.tpgi.com.au [203.12.163.83]) by oberon.tpgi.com.au (8.7.5/8.7.3) with ESMTP id OAA10300 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Aug 1997 14:51:43 +1000 (EST)
Received: (from cagney@localhost) by b1.tpgi.com.au (8.8.5/8.7.3) id OAA15671; Thu, 28 Aug 1997 14:11:19 +1000 (EST)
Message-Id: <199708280411.OAA15671@b1.tpgi.com.au>
Date: Thu, 28 Aug 1997 14:11:19 +1000 (EST)
From: Andrew Cagney <cagney@tpgi.com.au>
Reply-To: cagney@tpgi.com.au
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/4403: vasprintf (3) corrupts memory
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         4403
>Category:       bin
>Synopsis:       vasprintf (3) corrupts memory
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 27 22:00:00 PDT 1997
>Last-Modified:
>Originator:     Andrew Cagney
>Organization:
>Release:        FreeBSD 2.1.7-RELEASE i386
>Environment:

	Probably also in FreeBSD 2.2.2.

>Description:

	vasprintf.c:vasprintf() unconditionally appends a null
	character to its buffer.  Since vasprintf.c:writehook()
	allows the buffer to completely fill (left == 0), that store
	can blat memory beyound the buffers bounds.

>How-To-Repeat:

	Combine FreeBSD with GDB/mmalloc and wait for gdb to panic?

	I suspect vasprintf (... "-128-characters-") will do it.

>Fix:
	
	1 - Change writehook() to always keep one location in reserve.

or	2 - (better?) re-order the tail of vasprintf so that it reads:

	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
	if (*str == NULL)	/* failed to realloc it to actual size */
		*str = h.base;	/* return oversize buffer */
	(*str)[h.size - h.left] = '\0';
	return (ret);
>Audit-Trail:
>Unformatted: