Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Mar 2002 16:13:11 +0000
From:      Ian Dowse <iedowse@maths.tcd.ie>
To:        Eugene Grosbein <eugen@grosbein.pp.ru>
Cc:        Matthew Dillon <dillon@apollo.backplane.com>, FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG, Kirk McKusick <mckusick@mckusick.com>
Subject:   Re: kern/35969: kernel option PPP_DEFLATE often procudes kernel panics; PPP_BSDCOMP sometimes procudes stalled connections 
Message-ID:   <200203201613.aa16423@salmon.maths.tcd.ie>
In-Reply-To: Your message of "Wed, 20 Mar 2002 21:35:03 %2B0700." <20020320213503.A344@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <20020320213503.A344@grosbein.pp.ru>, Eugene Grosbein writes:
>It seems, that commit affected src/lib/libz/infblock.c 
>and it's possible it still contatins the bug that is fixed now in the kernel.

Yes, I had seen the libc/libz code too. At first glance it appears
to have a similar problem:

>@@ -329,6 +334,7 @@
>         }
>         s->sub.decode.codes = c;
>       }
>+      ZFREE(z, s->sub.trees.blens);
>       s->mode = CODES;
>     case CODES:
>       UPDATE

However the structure of struct inflate_blocks_state is different
in libz, so it is mostly safe because decode.codes and trees.blens
are unlikely to overlap on most platforms:

  union {
    uInt left;          /* if STORED, bytes left to copy */
    struct {
      uInt table;               /* table lengths (14 bits) */
      uInt index;               /* index into blens (or border) */
      uIntf *blens;             /* bit lengths of codes */
      uInt bb;                  /* bit length tree depth */
      inflate_huft *tb;         /* bit length decoding tree */
    } trees;            /* if DTREE, decoding info for trees */
    struct {
      inflate_codes_statef 
         *codes;
    } decode;           /* if CODES, current state */
  } sub;                /* submode */

The patch applied to libc/libz seems to match exactly what appeared
in the official zlib 1.1.4 release, but it is still very dodgy
programming by the zlib people...

Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203201613.aa16423>