From owner-freebsd-bugs  Wed Mar 20 10:18:16 2002
Delivered-To: freebsd-bugs@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5EF0037B41C; Wed, 20 Mar 2002 10:17:58 -0800 (PST)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.11.6/8.9.1) id g2KIHqf84421;
	Wed, 20 Mar 2002 10:17:52 -0800 (PST)
	(envelope-from dillon)
Date: Wed, 20 Mar 2002 10:17:52 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200203201817.g2KIHqf84421@apollo.backplane.com>
To: Ian Dowse <iedowse@maths.tcd.ie>
Cc: Eugene Grosbein <eugen@grosbein.pp.ru>,
	FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG,
	Kirk McKusick <mckusick@mckusick.com>,
	Chris Faulhaber <jedgar@fxp.org>, security-officer@FreeBSD.ORG
Subject: Re: kern/35969: kernel option PPP_DEFLATE often procudes kernel panics; PPP_BSDCOMP sometimes procudes stalled connections 
References:  <200203201613.aa16423@salmon.maths.tcd.ie>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

    I would say that libz should probably be fixed too, and given a 
    big whopping comment as well, even though (as Ian noted) the 
    organization of the union is such that the bug will not occur.

    I'm adding Chris to this Cc.  Chris, it's your baby :-), I'll leave it
    to you to decide what is best in regards to libz.

    p.s. Chris, OpenBSD's infblock.c file in libz is exactly the same as
    ours except for some minor whitespace/bracing changes.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

:Yes, I had seen the libc/libz code too. At first glance it appears
:to have a similar problem:
:
:>@@ -329,6 +334,7 @@
:>         }
:>         s->sub.decode.codes = c;
:>       }
:>+      ZFREE(z, s->sub.trees.blens);
:>       s->mode = CODES;
:>     case CODES:
:>       UPDATE
:
:However the structure of struct inflate_blocks_state is different
:in libz, so it is mostly safe because decode.codes and trees.blens
:are unlikely to overlap on most platforms:
:
:  union {
:    uInt left;          /* if STORED, bytes left to copy */
:    struct {
:      uInt table;               /* table lengths (14 bits) */
:      uInt index;               /* index into blens (or border) */
:      uIntf *blens;             /* bit lengths of codes */
:      uInt bb;                  /* bit length tree depth */
:      inflate_huft *tb;         /* bit length decoding tree */
:    } trees;            /* if DTREE, decoding info for trees */
:    struct {
:      inflate_codes_statef 
:         *codes;
:    } decode;           /* if CODES, current state */
:  } sub;                /* submode */
:
:The patch applied to libc/libz seems to match exactly what appeared
:in the official zlib 1.1.4 release, but it is still very dodgy
:programming by the zlib people...
:
:Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message