From owner-freebsd-bugs  Wed Mar 20  8:14:41 2002
Delivered-To: freebsd-bugs@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP
	id 005E637B491; Wed, 20 Mar 2002 08:13:13 -0800 (PST)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa16423@salmon>; 20 Mar 2002 16:13:11 +0000 (GMT)
To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG,
	Kirk McKusick <mckusick@mckusick.com>
Subject: Re: kern/35969: kernel option PPP_DEFLATE often procudes kernel panics; PPP_BSDCOMP sometimes procudes stalled connections 
In-Reply-To: Your message of "Wed, 20 Mar 2002 21:35:03 +0700."
             <20020320213503.A344@grosbein.pp.ru> 
Date: Wed, 20 Mar 2002 16:13:11 +0000
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID:  <200203201613.aa16423@salmon.maths.tcd.ie>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

In message <20020320213503.A344@grosbein.pp.ru>, Eugene Grosbein writes:
>It seems, that commit affected src/lib/libz/infblock.c 
>and it's possible it still contatins the bug that is fixed now in the kernel.

Yes, I had seen the libc/libz code too. At first glance it appears
to have a similar problem:

>@@ -329,6 +334,7 @@
>         }
>         s->sub.decode.codes = c;
>       }
>+      ZFREE(z, s->sub.trees.blens);
>       s->mode = CODES;
>     case CODES:
>       UPDATE

However the structure of struct inflate_blocks_state is different
in libz, so it is mostly safe because decode.codes and trees.blens
are unlikely to overlap on most platforms:

  union {
    uInt left;          /* if STORED, bytes left to copy */
    struct {
      uInt table;               /* table lengths (14 bits) */
      uInt index;               /* index into blens (or border) */
      uIntf *blens;             /* bit lengths of codes */
      uInt bb;                  /* bit length tree depth */
      inflate_huft *tb;         /* bit length decoding tree */
    } trees;            /* if DTREE, decoding info for trees */
    struct {
      inflate_codes_statef 
         *codes;
    } decode;           /* if CODES, current state */
  } sub;                /* submode */

The patch applied to libc/libz seems to match exactly what appeared
in the official zlib 1.1.4 release, but it is still very dodgy
programming by the zlib people...

Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message