NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/40438: syslogd(8) refers freed area
>Number: 40438
>Category: bin
>Synopsis: syslogd(8) refers free(3)d area
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jan 19 23:30:01 +0000 2009
>Originator: Takahiro Hayashi
>Release: NetBSD-current (5.99.5) Dec 18 15:18:35 UTC 2008
>Organization:
>Environment:
System: NetBSD fork 5.99.5 NetBSD 5.99.5 (FORK) #0: Fri Dec 19 08:16:54 JST
2008 root@fork:/usr/obj/sys/arch/i386/compile/FORK i386
Architecture: i386
Machine: i386
>Description:
syslogd(8) dumps core under environment /etc/malloc.conf = AJ
when receiving SIGHUP(e.g. newsyslog runs from cron).
In function syslogd.c:init() syslogd free(3)s old f
before refering f = f->f_next around line 3393
then f points freed area (stream of 0x5a if malloc.conf has J).
>How-To-Repeat:
ln -s AJ /etc/malloc.conf, restart syslogd and
send SIGHUP to syslogd.
>Fix:
avoid reference to freed area.
For example keeping f_next in other variable like this:
Index: syslogd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.94
diff -u -u -r1.94 syslogd.c
--- syslogd.c 27 Nov 2008 20:37:21 -0000 1.94
+++ syslogd.c 19 Jan 2009 22:45:13 -0000
@@ -3389,7 +3389,9 @@
/*
* Free old log files.
*/
- for (f = Files; f != NULL; f = f->f_next) {
+ for (f = Files; f != NULL;) {
+ struct filed *ftmp;
+
/* check if a new logfile is equal, if so pass the queue */
for (f2 = newf; f2 != NULL; f2 = f2->f_next) {
if (f->f_type == f2->f_type
@@ -3420,7 +3422,10 @@
FREEPTR(f->f_program);
FREEPTR(f->f_host);
DEL_EVENT(f->f_sq_event);
+
+ ftmp = f->f_next;
free((char *)f);
+ f = ftmp;
}
Files = newf;
Initialized = 1;
--
<tkhr.hash%gmail.com@localhost>
Home |
Main Index |
Thread Index |
Old Index