[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bin/73337: nsswitch: potential invalid free
- To: freebsd-bugs_(_at_)_FreeBSD_(_dot_)_org
- Subject: Re: bin/73337: nsswitch: potential invalid free
- From: Bruce Cran <bruce_(_at_)_cran_(_dot_)_org_(_dot_)_uk>
- Date: Sat, 12 Jan 2008 11:10:03 GMT
- Cc:
- Reply-to: Bruce Cran <bruce_(_at_)_cran_(_dot_)_org_(_dot_)_uk>
The following reply was made to PR bin/73337; it has been noted by GNATS.
From: Bruce Cran <bruce_(_at_)_cran_(_dot_)_org_(_dot_)_uk>
To: bug-followup_(_at_)_FreeBSD_(_dot_)_org, nectar_(_at_)_FreeBSD_(_dot_)_org
Cc:
Subject: Re: bin/73337: nsswitch: potential invalid free
Date: Sat, 12 Jan 2008 11:01:48 +0000
This still appears to be a problem on 7.0-PRERELEASE: single-threaded
applications get returned a statically-allocated [name]_state structure,
but all of the [name]_endstate functions such as dns_endstate assume
that the memory has been dynamically allocated - and so attempt to
free() a pointer which wasn't obtained through malloc(). I think the
patch below would fix the problem.
--- nss_tls.h.old 2008-01-12 00:21:20.000000000 +0000
+++ nss_tls.h 2008-01-12 10:54:17.000000000 +0000
@@ -50,12 +50,18 @@
static int \
name##_getstate(struct name##_state **p) \
{ \
- static struct name##_state st; \
+ static struct name##_state *st = NULL; \
static pthread_once_t keyinit = PTHREAD_ONCE_INIT; \
int rv; \
\
if (!__isthreaded || _pthread_main_np() != 0) { \
- *p = &st; \
+ if (st == NULL) { \
+ st = calloc(1, sizeof(*st)); \
+ if (st == NULL) \
+ return (ENOMEM); \
+ } \
+ \
+ *p = st; \
return (0); \
} \
rv = _pthread_once(&keyinit, name##_keyinit); \
--
Bruce Cran
_______________________________________________
freebsd-bugs_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe_(_at_)_freebsd_(_dot_)_org"
Visit your host, monkey.org