NetBSD Problem Report #40438
From tkhr.hash@gmail.com Mon Jan 19 23:26:02 2009
Return-Path: <tkhr.hash@gmail.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 66EAF63BFCB
for <gnats-bugs@gnats.netbsd.org>; Mon, 19 Jan 2009 23:26:02 +0000 (UTC)
Message-Id: <20090120081836.1D69.44A1DAE8@gmail.com>
Date: Tue, 20 Jan 2009 08:25:58 +0900
From: Takahiro Hayashi <tkhr.hash@gmail.com>
To: gnats-bugs@gnats.NetBSD.org
Cc: tkhr.hash@gmail.com
Subject: syslogd(8) refers freed area
>Number: 40438
>Category: bin
>Synopsis: syslogd(8) refers free(3)d area
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jan 19 23:30:01 +0000 2009
>Closed-Date: Thu Jan 22 21:12:23 +0000 2009
>Last-Modified: Thu Jan 22 21:15:02 +0000 2009
>Originator: Takahiro Hayashi
>Release: NetBSD-current (5.99.5) Dec 18 15:18:35 UTC 2008
>Organization:
>Environment:
System: NetBSD fork 5.99.5 NetBSD 5.99.5 (FORK) #0: Fri Dec 19 08:16:54 JST 2008 root@fork:/usr/obj/sys/arch/i386/compile/FORK i386
Architecture: i386
Machine: i386
>Description:
syslogd(8) dumps core under environment /etc/malloc.conf = AJ
when receiving SIGHUP(e.g. newsyslog runs from cron).
In function syslogd.c:init() syslogd free(3)s old f
before refering f = f->f_next around line 3393
then f points freed area (stream of 0x5a if malloc.conf has J).
>How-To-Repeat:
ln -s AJ /etc/malloc.conf, restart syslogd and
send SIGHUP to syslogd.
>Fix:
avoid reference to freed area.
For example keeping f_next in other variable like this:
Index: syslogd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.94
diff -u -u -r1.94 syslogd.c
--- syslogd.c 27 Nov 2008 20:37:21 -0000 1.94
+++ syslogd.c 19 Jan 2009 22:45:13 -0000
@@ -3389,7 +3389,9 @@
/*
* Free old log files.
*/
- for (f = Files; f != NULL; f = f->f_next) {
+ for (f = Files; f != NULL;) {
+ struct filed *ftmp;
+
/* check if a new logfile is equal, if so pass the queue */
for (f2 = newf; f2 != NULL; f2 = f2->f_next) {
if (f->f_type == f2->f_type
@@ -3420,7 +3422,10 @@
FREEPTR(f->f_program);
FREEPTR(f->f_host);
DEL_EVENT(f->f_sq_event);
+
+ ftmp = f->f_next;
free((char *)f);
+ f = ftmp;
}
Files = newf;
Initialized = 1;
--
<tkhr.hash@gmail.com>
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: mschuett@NetBSD.org
State-Changed-When: Thu, 22 Jan 2009 21:12:23 +0000
State-Changed-Why:
applied patch
From: Martin Schuette <mschuett@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/40438 CVS commit: src/usr.sbin/syslogd
Date: Thu, 22 Jan 2009 21:10:52 +0000 (UTC)
Module Name: src
Committed By: mschuett
Date: Thu Jan 22 21:10:52 UTC 2009
Modified Files:
src/usr.sbin/syslogd: syslogd.c
Log Message:
PR/40438: Takahiro Hayashi: syslogd(8) refers freed area
To generate a diff of this commit:
cvs rdiff -r1.97 -r1.98 src/usr.sbin/syslogd/syslogd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home