Date: Sat, 3 Apr 2004 01:50:14 -0800 (PST) From: David Schultz <das@FreeBSD.ORG> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/64983: regfree() crasher Message-ID: <200404030950.i339oENP061270@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/64983; it has been noted by GNATS.
From: David Schultz <das@FreeBSD.ORG>
To: Balazs Nagy <js@iksz.hu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/64983: regfree() crasher
Date: Sat, 3 Apr 2004 01:45:12 -0800
On Wed, Mar 31, 2004, Balazs Nagy wrote:
> regfree() in src/libc/regex/regfree.c doesn't check parameter, and with an
> invalid pointer, the application crashes.
[...]
> My problem originated with apache2, which dumps core multiple times. I
> recompiled Apache2 with --enable-maintainer-mode, and did a gdb backtrace:
[...]
> --- lib/libc/regex/regfree.c.orig Fri Mar 22 22:52:47 2002
> +++ lib/libc/regex/regfree.c Wed Mar 31 11:01:00 2004
> @@ -62,6 +62,8 @@
> {
> struct re_guts *g;
>
> + if (!preg)
> + return;
> if (preg->re_magic != MAGIC1) /* oops */
> return; /* nice to complain, but hard */
The result of regfree() on an invalid pointer is undefined, so
your problem looks like a bug in Apache.
It isn't clear what regfree() should do, in general, when it
detects a bug. Right now, it silently returns when it notices
some types of corruption. Arguably it should abort so such bugs
can be caught, but changing it now could break applications that
(wrongly) depend on the behaviour. You are suggesting the
opposite, namely, that regfree() should try harder to hide
application bugs from the programmer...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404030950.i339oENP061270>