From owner-freebsd-bugs Tue Apr 13 17:22:21 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 16464152A9 for ; Tue, 13 Apr 1999 17:22:20 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id RAA43902; Tue, 13 Apr 1999 17:20:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id BEB1515241 for ; Tue, 13 Apr 1999 17:22:07 -0700 (PDT) (envelope-from sclawson@cs.utah.edu) Received: from ibapah.cs.utah.edu (ibapah.cs.utah.edu [155.99.212.83]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id SAA04414 for ; Tue, 13 Apr 1999 18:19:47 -0600 (MDT) Received: (from sclawson@localhost) by ibapah.cs.utah.edu (8.9.1/8.9.1) id SAA17132; Tue, 13 Apr 1999 18:19:47 -0600 (MDT) (envelope-from sclawson@cs.utah.edu) Message-Id: <199904140019.SAA17132@ibapah.cs.utah.edu> Date: Tue, 13 Apr 1999 18:19:47 -0600 (MDT) From: Stephen Clawson Reply-To: sclawson@cs.utah.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/11122: ypserv dumps core: bad length given to a strncmp in yp_next_record. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 11122 >Category: bin >Synopsis: ypserv dumps core: bad length given to a strncmp in yp_next_record. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 13 17:20:00 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Stephen Clawson >Release: FreeBSD 3.0-CURRENT i386 (jan 27, 1999) >Organization: University of Utah >Environment: A dual PII/350 running FreeBSD 3.0-CURRENT as of jan 27, 1999, acting as a yp slave for a group of 40+ machines running FreeBSD, NetBSD and Linux. It's the same set-up from bin/10970 and bin/10971. >Description: There's a bug yp_dblookup.c:yp_next_record(). The key passed in to yp_next_record is compared against all the keys in the database using strncmp. However, the length given to strncmp is the size of the first key, so if the second key is shorter and happens to be aligned in memory so that accessing past the end of it hits unallocated memory ypserv will core dump. The sad thing is that there's a check to see if they key lengths don't match, but it's _after_ the strncmp. =( Swapping their places nicely fixes the problem. >How-To-Repeat: Run a yp server with a decent number of machines. >Fix: diff -c -r1.15 yp_dblookup.c *** yp_dblookup.c 1998/02/11 19:15:32 1.15 --- yp_dblookup.c 1999/04/13 23:51:44 *************** *** 615,622 **** if (qhead.cqh_first->dbptr->key == NULL) { #endif (dbp->seq)(dbp,&lkey,&ldata,R_FIRST); ! while(strncmp((char *)key->data,lkey.data, ! (int)key->size) || key->size != lkey.size) if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) { #ifdef DB_CACHE qhead.cqh_first->dbptr->size = 0; --- 615,623 ---- if (qhead.cqh_first->dbptr->key == NULL) { #endif (dbp->seq)(dbp,&lkey,&ldata,R_FIRST); ! while (key->size != lkey.size || ! strncmp((char *)key->data,lkey.data, ! (int)key->size)) if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) { #ifdef DB_CACHE qhead.cqh_first->dbptr->size = 0; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message