Date: Sat, 9 Jun 2001 17:27:38 +0100 (BST) From: ben@FreeBSD.org To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/27990: ypbind uses memory after freeing it Message-ID: <200106091627.f59GRch80702@platinum.shef.vinosystems.com>
next in thread | raw e-mail | index | archive | help
>Number: 27990
>Category: bin
>Synopsis: ypbind uses memory after freeing it
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 09 09:30:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:
>Release: FreeBSD 4.3-STABLE i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD platinum.shef.vinosystems.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 20 14:21:28 BST 2001 ben@platinum.scientia.demon.co.uk:/usr/obj/usr/src/sys/PLATINUM i386
(Rather old, but I don't see any recent commits to this file.)
>Description:
Maybe I'm missing something but this code just looks plain Wrong to me:
for(ypdb=ypbindlist; ypdb; ypdb=ypdb->dom_pnext) {
if (READFD > 0 && FD_ISSET(READFD, &fdsr)) {
handle_children(ypdb);
if (children == (MAX_CHILDREN - 1))
checkwork();
}
}
Given this code in the handle_children() function:
switch(ypdb->dom_default) {
case 0:
...
free(ypdb); << HERE
domains--;
return;
After returning the main() function will do 'ypdb=ypdb->dom_pnext' after
'ypdb' has been freed.
>How-To-Repeat:
Not quite sure. I noticed it while I had one machine on my network
using the old NIS domain after I'd changed the rest to a new one, maybe
that's related.
>Fix:
This has fixed the problem for me on -stable, not sure if it applies to
current too or not though. If someone can just review it I can commit
it.
--- ypbind.c.orig Sat Jun 9 17:03:47 2001
+++ ypbind.c Sat Jun 9 17:04:32 2001
@@ -394,7 +394,7 @@
int i;
DIR *dird;
struct dirent *dirp;
- struct _dom_binding *ypdb;
+ struct _dom_binding *ypdb, *next;
/* Check that another ypbind isn't already running. */
if ((yplockfd = (open(YPBINDLOCK, O_RDONLY|O_CREAT, 0444))) == -1)
@@ -493,7 +493,8 @@
syslog(LOG_WARNING, "select: %m");
break;
default:
- for(ypdb=ypbindlist; ypdb; ypdb=ypdb->dom_pnext) {
+ for(ypdb=ypbindlist; ypdb; ypdb=next) {
+ next = ypdb->dom_pnext;
if (READFD > 0 && FD_ISSET(READFD, &fdsr)) {
handle_children(ypdb);
if (children == (MAX_CHILDREN - 1))
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106091627.f59GRch80702>