Subject: lib/13292: infinite loop possible in cgetmatch()
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dean@huxley.org>
List: netbsd-bugs
Date: 06/23/2001 12:03:41
>Number:         13292
>Category:       lib
>Synopsis:       infinite loop possible in cgetmatch()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 23 12:02:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Dean Huxley
>Release:        NetBSD 1.5.1_BETA2
>Organization:
none
>Environment:
NetBSD jalapeno 1.5.1 NetBSD 1.5.1 (JALAPENO) #1: Fri Jun 22 05:18:04 MDT 2001     dean@jalapeno:/usr/src/sys/arch/i386/compile/JALAPENO i386
>Description:
I'm seeing lpd processes taking 100% cpu.  The problem results from a
pointer bug in cgetmatch.  With the current logic, it's possible that
the *bp pointer points to buf-1 and one of the for(;;) loops never
breaks out.
>How-To-Repeat:
Compile and run this code:

#include <stdlib.h>

main()
{
        char *buf="Xlp|foo:lp=/dev/null:";
        printf("%d\n", cgetmatch(buf+1,""));
}

>Fix:
In src/lib/libc/gen/getcap.c, in function cgetmatch, add:

        if(*name == '\0')
                return(-1);

after the _DIAGASSERT lines.
>Release-Note:
>Audit-Trail:
>Unformatted: