Date: Thu, 28 Aug 1997 02:01:39 -0400 (EDT) From: Tim Vanderhoek <hoek@hwcn.org> To: Andrew Cagney <cagney@tpgi.com.au> Cc: FreeBSD-gnats-submit@FreeBSD.ORG, GNATS Management <gnats@FreeBSD.ORG>, freebsd-bugs@hub.freebsd.org Subject: Re: bin/4403: vasprintf (3) corrupts memory Message-ID: <Pine.GSO.3.96.970828015215.13863B-100000@james.freenet.hamilton.on.ca> In-Reply-To: <199708280411.OAA15671@b1.tpgi.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
[dup and prev. fixed pr -- close] [Out of curiosity, is it correct to keep the cc to gnats management here? I typically delete it, but people typically delete this otherwise.] On Thu, 28 Aug 1997, Andrew Cagney wrote: > >Number: 4403 > >Category: bin > >Synopsis: vasprintf (3) corrupts memory [...] > >Environment: > > Probably also in FreeBSD 2.2.2. Yes. But not anything beyond. You could have tried getting a new copy of vasprintf.c from -current. The only reason it's in 2.2.2 is because people (committers?) don't fix pr's when they're submitted. Kudos to those who have recently taken the time to close as many pr's as possible. > vasprintf.c:vasprintf() unconditionally appends a null > character to its buffer. Since vasprintf.c:writehook() > allows the buffer to completely fill (left == 0), that store > can blat memory beyound the buffers bounds. This bug has been fixed. The pr can be closed. > >How-To-Repeat: > > Combine FreeBSD with GDB/mmalloc and wait for gdb to panic? The original pr for this bug includes a how-to-repeat .c program. The pr is closed, of course. :) > or 2 - (better?) re-order the tail of vasprintf so that it reads: > > *str = realloc(h.base, (size_t)(h.size - h.left + 1)); > if (*str == NULL) /* failed to realloc it to actual size */ > *str = h.base; /* return oversize buffer */ > (*str)[h.size - h.left] = '\0'; > return (ret); No, that could still overrun memory if realloc() fails and h.left == 0. -- Outnumbered? Maybe. Outspoken? Never! tIM...HOEk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.3.96.970828015215.13863B-100000>