Date: Sun, 2 Aug 1998 13:12:18 +0200 (CEST) From: Stefan Eggers <seggers@semyam.dinoco.de> To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: seggers@semyam.dinoco.de Subject: bin/7469: ppp uses freed memory on quit from prompt Message-ID: <199808021112.NAA02076@semyam.dinoco.de>
next in thread | raw e-mail | index | archive | help
>Number: 7469
>Category: bin
>Synopsis: ppp uses freed memory on quit from prompt
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Aug 2 04:20:00 PDT 1998
>Last-Modified:
>Originator: Stefan Eggers
>Organization:
none
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
-current system cvsup'ed on Friday, PPP source updated to the
most current from a few minutes ago to see if the bug is fixed there.
>Description:
I start ppp with "ppp xnc" where xnc is the label I gave my
provider's entry in /etc/ppp/ppp.conf. Not doing anything else at the
prompt I quit it. Core dump.
This is with /etc/malloc.conf set to AJ. A very useful
setting I turned on just a few minutes ago. ;-)
>How-To-Repeat:
Set /etc/malloc.conf to AJ (which means make a soft link named
/etc/malloc.conf pointing to AJ; see malloc(3)) and then try the above
mentioned sequence with ppp.
>Fix:
I looked around for a cause and after some reading of the
source I found out that on a "quit" command the promptlist entry which
is associated with the command line gets unregistered and deallocated.
This causes the promptlist in log.c to change.
The problem is that the loop you see below gets from one entry
on the list to the next. When it gets to the one for the command line
the call to descriptor_Read() will process the "quit" command. This
in turn will deallocate the entry p is pointing to. Now trying to get
to the next entry is an illegal operation which just works because no
other function overwrote the already free memory.
The most general solution would be to restart the whole loop
after calling descriptor_Read(), i.e. do a "p = log_PromptList();
continue;" at that point. This will prevent similar problems with
other callbacks which might changewith promptlist.
I didn't fix it this way because I don't know what implica-
tions this might have on other parts of the program.
Thus I fixed it this way which works for me:
Index: server.c
===================================================================
RCS file: /usr2/FreeBSD/CVSROOT/src/usr.sbin/ppp/server.c,v
retrieving revision 1.22
diff -u -r1.22 server.c
--- server.c 1998/06/27 14:18:10 1.22
+++ server.c 1998/08/02 10:52:18
@@ -95,7 +95,7 @@
struct sockaddr *sa = (struct sockaddr *)hisaddr;
struct sockaddr_in *in = (struct sockaddr_in *)hisaddr;
int ssize = ADDRSZ, wfd;
- struct prompt *p;
+ struct prompt *p, *pnxt;
if (s->fd >= 0 && FD_ISSET(s->fd, fdset)) {
wfd = accept(s->fd, sa, &ssize);
@@ -152,9 +152,12 @@
}
}
- for (p = log_PromptList(); p; p = p->next)
+ for (p = log_PromptList(); p; p = pnxt)
+ {
+ pnxt = p->next;
if (descriptor_IsSet(&p->desc, fdset))
descriptor_Read(&p->desc, bundle, fdset);
+ }
}
static int
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808021112.NAA02076>