From owner-freebsd-stable  Thu Sep 26  1:58: 8 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2306B37B401
	for <stable@FreeBSD.ORG>; Thu, 26 Sep 2002 01:58:07 -0700 (PDT)
Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7AF3543E42
	for <stable@FreeBSD.ORG>; Thu, 26 Sep 2002 01:58:06 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g8Q8w58E062108;
	Thu, 26 Sep 2002 01:58:05 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g8Q8w5M1062107;
	Thu, 26 Sep 2002 01:58:05 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Date: Thu, 26 Sep 2002 01:58:05 -0700
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Barney Wolff <barney@tp.databus.com>
Cc: stable@FreeBSD.ORG
Subject: Re: [v]asprintf leaks memory
Message-ID: <20020926085805.GA62047@HAL9000.homeunix.com>
Mail-Followup-To: Barney Wolff <barney@tp.databus.com>,
	stable@FreeBSD.ORG
References: <20020925133219.GA59210@HAL9000.homeunix.com> <20020925155222.GA4874@tp.databus.com> <20020926061617.GA16599@tp.databus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020926061617.GA16599@tp.databus.com>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Thus spake Barney Wolff <barney@tp.databus.com>:
> There is possibly a more serious bug here.  If vfprintf returns with
> f._bf._base NULL, it would seem that *f._p = '\0'; will store
> into freed memory.

Good point.  I originally wrote a catch-all patch that would have
fixed this by checking whether ret was -1 *and* f._bf_base was
non-NULL.  Then I tried to characterize the error more carefully
and write a better patch.

The catch-all one is *really* ugly.  You're duplicating code in
both asprintf() and vasprintf(), and by patching it that way,
you're basically admitting that you don't know when the hell
__vfprintf() remembers to free the buffer on error and when it
forgets.  As I said before, the underlying routines could use a
rewrite.  I would suggest using realloc() instead of reallocf() so
that more reasonable invariants can be imposed upon __vfprintf(),
and the malloc and free-on-error can be done in a single procedure.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message