From owner-freebsd-bugs  Wed Aug 27 23:01:14 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA10088
          for bugs-outgoing; Wed, 27 Aug 1997 23:01:14 -0700 (PDT)
Received: from hwcn.org (main.hwcn.org [199.212.94.65])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA10072;
          Wed, 27 Aug 1997 23:00:46 -0700 (PDT)
Received: from james.freenet.hamilton.on.ca (ac199@james.hwcn.org [199.212.94.66])
	by hwcn.org (8.8.7/8.8.7) with ESMTP id CAA19995;
	Thu, 28 Aug 1997 02:01:21 -0400 (EDT)
Received: from localhost (ac199@localhost)
	by james.freenet.hamilton.on.ca (8.8.7/8.8.7) with SMTP id CAA16560;
	Thu, 28 Aug 1997 02:01:39 -0400 (EDT)
X-Authentication-Warning: james.freenet.hamilton.on.ca: ac199 owned process doing -bs
Date: Thu, 28 Aug 1997 02:01:39 -0400 (EDT)
From: Tim Vanderhoek <hoek@hwcn.org>
X-Sender: ac199@james.freenet.hamilton.on.ca
Reply-To: hoek@hwcn.org
To: Andrew Cagney <cagney@tpgi.com.au>
cc: FreeBSD-gnats-submit@FreeBSD.ORG, GNATS Management <gnats@FreeBSD.ORG>,
        freebsd-bugs@hub.freebsd.org
Subject: Re: bin/4403: vasprintf (3) corrupts memory
In-Reply-To: <199708280411.OAA15671@b1.tpgi.com.au>
Message-ID: <Pine.GSO.3.96.970828015215.13863B-100000@james.freenet.hamilton.on.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

[dup and prev. fixed pr -- close]

[Out of curiosity, is it correct to keep the cc to gnats
management here?  I typically delete it, but people typically
delete this otherwise.]

On Thu, 28 Aug 1997, Andrew Cagney wrote:

> >Number:         4403
> >Category:       bin
> >Synopsis:       vasprintf (3) corrupts memory
[...]
> >Environment:
> 
> 	Probably also in FreeBSD 2.2.2.

Yes.  But not anything beyond.  You could have tried getting a
new copy of vasprintf.c from -current.  The only reason it's in
2.2.2 is because people (committers?) don't fix pr's when they're
submitted.  Kudos to those who have recently taken the time to
close as many pr's as possible.


> 	vasprintf.c:vasprintf() unconditionally appends a null
> 	character to its buffer.  Since vasprintf.c:writehook()
> 	allows the buffer to completely fill (left == 0), that store
> 	can blat memory beyound the buffers bounds.

This bug has been fixed.  The pr can be closed.


> >How-To-Repeat:
> 
> 	Combine FreeBSD with GDB/mmalloc and wait for gdb to panic?

The original pr for this bug includes a how-to-repeat .c program.
The pr is closed, of course.  :)


> or	2 - (better?) re-order the tail of vasprintf so that it reads:
> 
> 	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
> 	if (*str == NULL)	/* failed to realloc it to actual size */
> 		*str = h.base;	/* return oversize buffer */
> 	(*str)[h.size - h.left] = '\0';
> 	return (ret);

No, that could still overrun memory if realloc() fails and 
h.left == 0.


--
Outnumbered?  Maybe.  Outspoken?  Never!
tIM...HOEk