From owner-freebsd-stable Thu Sep 26 1:58: 8 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2306B37B401 for ; Thu, 26 Sep 2002 01:58:07 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AF3543E42 for ; Thu, 26 Sep 2002 01:58:06 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g8Q8w58E062108; Thu, 26 Sep 2002 01:58:05 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g8Q8w5M1062107; Thu, 26 Sep 2002 01:58:05 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Thu, 26 Sep 2002 01:58:05 -0700 From: David Schultz To: Barney Wolff Cc: stable@FreeBSD.ORG Subject: Re: [v]asprintf leaks memory Message-ID: <20020926085805.GA62047@HAL9000.homeunix.com> Mail-Followup-To: Barney Wolff , stable@FreeBSD.ORG References: <20020925133219.GA59210@HAL9000.homeunix.com> <20020925155222.GA4874@tp.databus.com> <20020926061617.GA16599@tp.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020926061617.GA16599@tp.databus.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus spake Barney Wolff : > There is possibly a more serious bug here. If vfprintf returns with > f._bf._base NULL, it would seem that *f._p = '\0'; will store > into freed memory. Good point. I originally wrote a catch-all patch that would have fixed this by checking whether ret was -1 *and* f._bf_base was non-NULL. Then I tried to characterize the error more carefully and write a better patch. The catch-all one is *really* ugly. You're duplicating code in both asprintf() and vasprintf(), and by patching it that way, you're basically admitting that you don't know when the hell __vfprintf() remembers to free the buffer on error and when it forgets. As I said before, the underlying routines could use a rewrite. I would suggest using realloc() instead of reallocf() so that more reasonable invariants can be imposed upon __vfprintf(), and the malloc and free-on-error can be done in a single procedure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message