Date: Sat, 12 Jan 2008 11:10:03 GMT From: Bruce Cran <bruce@cran.org.uk> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/73337: nsswitch: potential invalid free Message-ID: <200801121110.m0CBA3pD081385@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/73337; it has been noted by GNATS.
From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, nectar@FreeBSD.org
Cc:
Subject: Re: bin/73337: nsswitch: potential invalid free
Date: Sat, 12 Jan 2008 11:01:48 +0000
This still appears to be a problem on 7.0-PRERELEASE: single-threaded
applications get returned a statically-allocated [name]_state structure,
but all of the [name]_endstate functions such as dns_endstate assume
that the memory has been dynamically allocated - and so attempt to
free() a pointer which wasn't obtained through malloc(). I think the
patch below would fix the problem.
--- nss_tls.h.old 2008-01-12 00:21:20.000000000 +0000
+++ nss_tls.h 2008-01-12 10:54:17.000000000 +0000
@@ -50,12 +50,18 @@
static int \
name##_getstate(struct name##_state **p) \
{ \
- static struct name##_state st; \
+ static struct name##_state *st = NULL; \
static pthread_once_t keyinit = PTHREAD_ONCE_INIT; \
int rv; \
\
if (!__isthreaded || _pthread_main_np() != 0) { \
- *p = &st; \
+ if (st == NULL) { \
+ st = calloc(1, sizeof(*st)); \
+ if (st == NULL) \
+ return (ENOMEM); \
+ } \
+ \
+ *p = st; \
return (0); \
} \
rv = _pthread_once(&keyinit, name##_keyinit); \
--
Bruce Cran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801121110.m0CBA3pD081385>