Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Dec 1996 19:39:00 +1100 (EST)
From:      davidn@blaze.net.au
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/2196: Bug in src/libc/gen/getttyent.c, use of freed memory
Message-ID:  <199612120839.TAA02811@nserver.blaze.net.au>
Resent-Message-ID: <199612120840.AAA29922@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2196
>Category:       bin
>Synopsis:       Bug in src/libc/gen/getttyent.c, use of freed memory
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 12 00:40:03 PST 1996
>Last-Modified:
>Originator:     David Nugent - davidn@blaze.net.au
>Organization:
Unique Computing, Melbourne, Australia
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

	Any FreeBSD system, most obvious with phkmalloc and
	/etc/malloc.conf -> AJ. Not obvious otherwise since
	freed memory will not be overwritten.

	This fix should go into the 2.2 tree as well as -current
	since the problem is present there too.

>Description:

	src/lib/libc/gen/getttyent.c

	endttyent() frees memory which is referenced by a pointer
	returned by getttynam(), so the call basically returns
	garbage if malloc() is configured to overwrite freed
	memory.

>How-To-Repeat:

	Running mgetty+sendfax, no term set by mgetty, login
	calls getttynam() to retrieve the term type for the
	current tty, but gets back garbage of malloc "junk fill"
	feature is enabled.

	Basically, getttynam() does not work and is buggy.

>Fix:
	
	Don't free memory in endttyent(). Not really tidy, but
	there's no other simple solution other than requiring
	the application to call endttyent() instead of calling
	it in getttynam() [which would be inconsistent behaviour
	for get*nam() style routines].

	The patch below #defines away the memory free in endttyent().
	This will not result in rampant memory leak since this memory
	is reused if needed by subsequent calls into the *ttyent
	routines.

--- getttyent.c.orig	Tue Oct 22 09:56:23 1996
+++ getttyent.c	Thu Dec 12 19:27:30 1996
@@ -207,11 +207,17 @@
 {
 	int rval;
 
+#if 0
+	/*
+         * Can't free this because getttynam()
+	 * may still be referencing it
+	 */
 	if (line) {
 		free(line);
 		line = NULL;
 		lbsize = 0;
 	}
+#endif
 	if (tf) {
 		rval = (fclose(tf) != EOF);
 		tf = NULL;


>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612120839.TAA02811>