Date: Sat, 12 Jan 2008 11:10:03 GMT From: Bruce Cran <bruce@cran.org.uk> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/73337: nsswitch: potential invalid free Message-ID: <200801121110.m0CBA3pD081385@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/73337; it has been noted by GNATS. From: Bruce Cran <bruce@cran.org.uk> To: bug-followup@FreeBSD.org, nectar@FreeBSD.org Cc: Subject: Re: bin/73337: nsswitch: potential invalid free Date: Sat, 12 Jan 2008 11:01:48 +0000 This still appears to be a problem on 7.0-PRERELEASE: single-threaded applications get returned a statically-allocated [name]_state structure, but all of the [name]_endstate functions such as dns_endstate assume that the memory has been dynamically allocated - and so attempt to free() a pointer which wasn't obtained through malloc(). I think the patch below would fix the problem. --- nss_tls.h.old 2008-01-12 00:21:20.000000000 +0000 +++ nss_tls.h 2008-01-12 10:54:17.000000000 +0000 @@ -50,12 +50,18 @@ static int \ name##_getstate(struct name##_state **p) \ { \ - static struct name##_state st; \ + static struct name##_state *st = NULL; \ static pthread_once_t keyinit = PTHREAD_ONCE_INIT; \ int rv; \ \ if (!__isthreaded || _pthread_main_np() != 0) { \ - *p = &st; \ + if (st == NULL) { \ + st = calloc(1, sizeof(*st)); \ + if (st == NULL) \ + return (ENOMEM); \ + } \ + \ + *p = st; \ return (0); \ } \ rv = _pthread_once(&keyinit, name##_keyinit); \ -- Bruce Cran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801121110.m0CBA3pD081385>