netbsd-bugs: Re: bin/34030: double-free bugs in CVS 1.11.22

Subject: Re: bin/34030: double-free bugs in CVS 1.11.22
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-bugs
Date: 07/18/2006 14:50:02
The following reply was made to PR bin/34030; it has been noted by GNATS.

From: Quentin Garnier <cube@cubidou.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/34030: double-free bugs in CVS 1.11.22
Date: Tue, 18 Jul 2006 16:49:08 +0200

 On Tue, Jul 18, 2006 at 02:20:01PM +0000, tnozaki@NetBSD.org wrote:
 > >Number:         34030
 > >Category:       bin
 > >Synopsis:       double-free bugs in CVS 1.11.22
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       high
 > >Responsible:    bin-bug-people
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Tue Jul 18 14:20:01 +0000 2006
 > >Originator:     Takehiko NOZAKI
 > >Release:        3.99.22 i386
 > >Organization:
 > >Environment:
 > NetBSD spooky.example.com 3.99.22 NetBSD 3.99.22 (SPOOKY) #0: Tue Jul 18 =
 00:43:31 JST 2--6 root@spooky.example.com:/usr/obj/sys/arhc/i386/compile/SP=
 OOKY i386
 >=20
 > $ cvs -v
 >=20
 > Concurrent Version System (CVS) 1.11.22 (client/server)
 > >Description:
 > char pointer variable `cvs_password'(login.c:33)
 > twice free by auth_server()(client.c:3940) and login()(login.c:572).
 > this bug introduced following Coverity fix.
 > http://cvsweb.netbsd.org/bsdweb.cgi/src/gnu/dist/xcvs/src/client.c.diff?r=
 1=3D1.5&r2=3D1.6
 >=20
 > for more detailed infomation, see attached patch.
 > >How-To-Repeat:
 > $ cvs -d :pserver:foo@bar.example.com:2401/cvsroot login
 > Logging in to :pserver:foo@bar.example.com:2401/cvsroot
 > CVS password:
 > cvs in free(): warning: chunk is already free.
 >=20
 >=20
 > >Fix:
 > Index: gnu/dist/xcvs/src/client.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > RCS file: /cvsroot/src/gnu/dist/xcvs/src/client.c,v
 > retrieving revision 1.7
 > diff -u -r1.7 client.c
 > --- gnu/dist/xcvs/src/client.c	23 Jun 2006 22:44:11 -0000	1.7
 > +++ gnu/dist/xcvs/src/client.c	18 Jul 2006 07:33:06 -0000
 > @@ -3937,7 +3937,8 @@
 > =20
 >          /* Paranoia. */
 >          memset (password, 0, strlen (password));
 > -	free (password);
 > +	if (no_passwd =3D=3D 1) /* password =3D=3D get_cvs_password() */
 > +             free (password);
 >  # else /* ! AUTH_CLIENT_SUPPORT */
 >  	error (1, 0, "INTERNAL ERROR: This client does not support pserver auth=
 entication");
 >  # endif /* AUTH_CLIENT_SUPPORT */
 
 The memset line is also wrong in that case.  Or, at least, not needed
 (is strlen(NULL) defined?).
 
 --=20
 Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
 "When I find the controls, I'll go where I like, I'll know where I want
 to be, but maybe for now I'll stay right here on a silent sea."
 KT Tunstall, Silent Sea, Eye to the Telescope, 2004.