Subject: bin/9082: memory leak in telnetd(8)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 12/30/1999 02:27:39
>Number: 9082
>Category: bin
>Synopsis: memory leak in telnetd(8)
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 30 02:27:00 1999
>Last-Modified:
>Originator: Jun-ichiro itojun Hagino
>Organization:
itojun.org
>Release: NetBSD-current and 1.4.1
>Environment:
System: NetBSD turmeric.itojun.org 1.4P NetBSD 1.4P (TURMERIC.v6) #189: Sun Dec 26 21:45:33 PST 1999 itojun@turmeric.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/TURMERIC.v6 i386
>Description:
while constructing argument to login(8), telnetd(8) uses malloc and
realloc carelessly. caller never checks return value from addarg().
if malloc/realloc failure occurs, login(8) may get bogus argument
passed to it.
>How-To-Repeat:
>Fix:
The shortest way to fix the problem is this patch.
There can be other way to fix it (like checking return value from
addarg() every time call is made).
Index: sys_term.c
===================================================================
RCS file: /cvsroot/basesrc/libexec/telnetd/sys_term.c,v
retrieving revision 1.17
diff -c -r1.17 sys_term.c
*** sys_term.c 1999/09/17 19:00:32 1.17
--- sys_term.c 1999/12/30 10:20:16
***************
*** 1865,1872 ****
--argv;
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
! if (argv == NULL)
! return(NULL);
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
--- 1865,1874 ----
--argv;
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
! if (argv == NULL) {
! fatal(net, "not enough memory");
! /*NOTREACHED*/
! }
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
>Audit-Trail:
>Unformatted: