OSSP: CVS Repository: Check-in [3091]

Check-in Number:

3091

Date:

2003-Jan-27 17:01:35 (local)
2003-Jan-27 16:01:35 (UTC)

User:

thl

Branch:

Comment:

fix iteration through non malloc(3)ed memory in l2_channel_destroy(). Bug caught on FreeBSD5

Tickets:

Inspections:

Files:

ossp-pkg/l2/TODO	1.58 -> 1.59	12 inserted, 0 deleted
ossp-pkg/l2/l2_channel.c	1.30 -> 1.31	13 inserted, 4 deleted
ossp-pkg/l2/l2_test.c	1.51 -> 1.52	4 inserted, 3 deleted

ossp-pkg/l2/TODO 1.58 -> 1.59

--- TODO 2003/01/06 11:41:51 1.58 +++ TODO 2003/01/27 16:01:35 1.59 @@ -9,6 +9,18 @@ TODO ==== +20030127 thl + Fixed a bug in l2_channel.c:l2_channel_destroy() where chD was + passing a pointer to l2_channel_downstream() to find a sibling of a + previously free(3)d node. This caused a bus error on FreeBSD5 where + free(3) filled the free area with nonzero data. All other + implementations seem to keep the data and l2_channel_downstream() + traversed through still valid pointers in unmalloc(3)ed areas. This + caused openssh using fsl v1.0.6 to fail on FreeBSD5. The fix was + implemented in l2_channel_destroy() through look-ahead. This is once + again a basic iteration problem which can catch us in other places + as well. This needs to be verified. + Structure of channels and documentation [thl]. It should be possible to drag the documentation out of a channel's source code. Everything else is error prone and a documentation nightmare. Currently, most (noop and

ossp-pkg/l2/l2_channel.c 1.30 -> 1.31

--- l2_channel.c 2003/01/06 11:41:51 1.30 +++ l2_channel.c 2003/01/27 16:01:35 1.31 @@ -455,8 +455,10 @@ l2_result_t l2_channel_destroy(l2_channel_t *ch) { l2_result_t rv; - l2_result_t rvD; + l2_result_t rvD; /* downstream */ l2_channel_t *chD; + l2_result_t rvL; /* lookahead */ + l2_channel_t *chL; /* argument sanity check */ if (ch == NULL) @@ -477,9 +479,16 @@ if (rv == L2_OK_PASS) { rv = L2_OK; chD = NULL; - while (l2_channel_downstream(ch, &chD) == L2_OK) - if ((rvD = l2_channel_destroy(chD)) != L2_OK) - rv = rvD; + if (l2_channel_downstream(ch, &chD) == L2_OK) { + chL = chD; + do { + rvL = l2_channel_downstream(ch, &chL); + if ((rvD = l2_channel_destroy(chD)) != L2_OK) + rv = rvD; + if (rvL == L2_OK) + chD = chL; + } while ((rv == L2_OK) && (rvL == L2_OK)); + } } /* free channel structure */

ossp-pkg/l2/l2_test.c 1.51 -> 1.52

--- l2_test.c 2003/01/06 11:41:52 1.51 +++ l2_test.c 2003/01/27 16:01:35 1.52 @@ -89,10 +89,11 @@ " filter(regex=hecking, negate=0)" " -> prefix(prefix=\"[%d-%m-%Y/%H:%M:%S] %L test[%P]: \", timezone=local)" " -> buffer(size=800)" -/* " -> buffer(size=800, timer=on)"*/ " -> file(path=l2_test.log, append=1, perm=0644) ;" +/* " syslog(ident=L2-Test, facility=user, " " remotehost=localhost, logpid=1, target=remote)" +*/ "}"; fprintf(stderr, "configuring: %s\n", spec); if ((rv = l2_spec(&ch, env, "%s", spec)) != L2_OK) @@ -158,11 +159,11 @@ /* perform a few log operations */ if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "1: Checking localhost %s %{myparm}k <%{text}S><%{hex}S><%{base64}S>\n", "foo", 12345, "foo\1bar", 7, "foo\1bar", 7, "foo\1bar", 7)) != L2_OK) die(env, rv, "failed to log message #1 to channel"); - if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "2: Shecking\n")) != L2_OK) + if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "2: Checking\n")) != L2_OK) die(env, rv, "failed to log message #2 to channel"); if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "3: Checking localhost %s %{myparm}k <%{text}S><%{hex}S><%{base64}S>\n", "foo", 12345, "foo\1bar", 7, "foo\1bar", 7, "foo\1bar", 7)) != L2_OK) die(env, rv, "failed to log message #3 to channel"); - if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "4: Shecking\n")) != L2_OK) + if ((rv = l2_channel_log(ch, L2_LEVEL_PANIC, "4: Checking\n")) != L2_OK) die(env, rv, "failed to log message #4 to channel"); /* destroy channel tree */

OSSP CVS Repository