netbsd-bugs: lib/156: cgetent does access free'd memory

Subject: lib/156: cgetent does access free'd memory
To: None <gnats-admin>
From: None <thomas@mathematik.uni-Bremen.de>
List: netbsd-bugs
Date: 03/05/1994 20:05:02
>Number:         156
>Category:       lib
>Synopsis:       cgetent does access free'd memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar  5 20:05:01 1994
>Originator:     Thomas Eberhardt
>Organization:
CeVis, University of Bremen, Germany
>Release:        
>Environment:
	
System: NetBSD ed209 0.9a ED209#0 i386

Machine: i386
>Description:
	After rebuilding XFree86-2.0 using the GNU malloc library, xterm
	just dumped core.  A little investigation showed that the getent
	routine that is called by cgetent that is called by tgetent in
	the termcap library accesses a record returned by the db library
	AFTER closing the database which is apparently a no-no since
	closing the database closing releases all internal database buffers.
>How-To-Repeat:
	
>Fix:
*** libc/gen/getcap.c-	Tue Jan  4 12:02:32 1994
--- libc/gen/getcap.c	Sun Mar  6 04:36:46 1994
***************
*** 195,202 ****
  	DB *capdbp;
  	DBT key, data;
  	register char *r_end, *rp, **db_p;
! 	int myfd, eof, foundit, retval;
! 	char *record;
  	int tc_not_resolved;
  	char pbuf[_POSIX_PATH_MAX];
  	
--- 195,202 ----
  	DB *capdbp;
  	DBT key, data;
  	register char *r_end, *rp, **db_p;
! 	int myfd, eof, foundit, retval, clen;
! 	char *record, *cbuf;
  	int tc_not_resolved;
  	char pbuf[_POSIX_PATH_MAX];
  	
***************
*** 251,261 ****
  			     != NULL) {
  				free(record);
  				retval = cdbget(capdbp, &record, name);
! 				if (capdbp->close(capdbp) < 0)
  					return (-2);
! 				*len = strlen(record);
! 				*cap = malloc(*len + 1);
! 				memmove(*cap, record, *len + 1);
  				return (retval);
  			} else {
  				fd = open(*db_p, O_RDONLY, 0);
--- 251,265 ----
  			     != NULL) {
  				free(record);
  				retval = cdbget(capdbp, &record, name);
! 				clen = strlen(record);
! 				cbuf = malloc(clen + 1);
! 				memmove(cbuf, record, clen + 1);
! 				if (capdbp->close(capdbp) < 0) {
! 					free(cbuf);
  					return (-2);
! 				}
! 				*len = clen;
! 				*cap = cbuf;
  				return (retval);
  			} else {
  				fd = open(*db_p, O_RDONLY, 0);
>Audit-Trail:
>Unformatted:


------------------------------------------------------------------------------