From matthias.andree@gmx.de  Sun Aug 20 00:02:33 2006
Return-Path: <matthias.andree@gmx.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6504616A4DA
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Aug 2006 00:02:33 +0000 (UTC)
	(envelope-from matthias.andree@gmx.de)
Received: from mail.gmx.net (mail.gmx.de [213.165.64.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7D65543D49
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Aug 2006 00:02:32 +0000 (GMT)
	(envelope-from matthias.andree@gmx.de)
Received: (qmail invoked by alias); 20 Aug 2006 00:02:31 -0000
Received: from p50913C23.dip0.t-ipconnect.de (EHLO m2a2.dyndns.org) [80.145.60.35]
  by mail.gmx.net (mp001) with SMTP; 20 Aug 2006 02:02:31 +0200
Received: from localhost (localhost [127.0.0.1])
	by merlin.emma.line.org (Postfix) with ESMTP id 08CC12014CC;
	Sun, 20 Aug 2006 02:02:30 +0200 (CEST)
Received: from m2a2.dyndns.org ([127.0.0.1])
 by localhost (m2a2.dyndns.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 20999-18; Sun, 20 Aug 2006 02:02:29 +0200 (CEST)
Received: from libertas.emma.line.org (libertas.emma.line.org [192.168.1.2])
	by merlin.emma.line.org (Postfix) with ESMTP id CC210201325;
	Sun, 20 Aug 2006 02:02:29 +0200 (CEST)
Received: by libertas.emma.line.org (Postfix, from userid 1001)
	id 781B435; Sun, 20 Aug 2006 02:02:29 +0200 (CEST)
Message-Id: <20060820000229.781B435@libertas.emma.line.org>
Date: Sun, 20 Aug 2006 02:02:29 +0200 (CEST)
From: Matthias Andree <matthias.andree@gmx.de>
Reply-To: Matthias Andree <matthias.andree@gmx.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: grip malloc(0) abuse? 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         102299
>Category:       bin
>Synopsis:       [patch] grep(1) malloc abuse?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 20 00:10:15 GMT 2006
>Closed-Date:    
>Last-Modified:  Wed Sep 13 22:53:19 GMT 2006
>Originator:     Matthias Andree
>Release:        FreeBSD 6.1-RELEASE-p3 i386
>Organization:
>Environment:
System: FreeBSD libertas.emma.line.org 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #13: Sat Jul 15 11:21:56 CEST 2006 toor@libertas.emma.line.org:/usr/obj/usr/src/sys/MA6 i386


	
>Description:
grep complains "grep: Memory exhaused" if /etc/malloc.conf contains V.

$ make package
===>  Found saved configuration for openvpn-2.0.6_1
===>  Extracting for openvpn-2.0.6_1
grep: Memory exhausted
=> No MD5 checksum recorded for openvpn-2.0.6.tar.gz.
grep: Memory exhausted
=> No SHA256 checksum recorded for openvpn-2.0.6.tar.gz.

This problem goes away if the V is removed from /etc/malloc.conf.

	
>How-To-Repeat:
ln -sf 'AVj' /etc/malloc.conf
cd /usr/ports/security/openvpn
make package
	
>Fix:

	


>Release-Note:
>Audit-Trail:

From: Thomas Quinot <thomas@FreeBSD.ORG>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/102299: grep malloc(0) abuse?
Date: Mon, 21 Aug 2006 00:26:27 +0200

 * Matthias Andree, 2006-08-20 :
 
 > ln -sf 'AVj' /etc/malloc.conf
 > cd /usr/ports/security/openvpn
 > make package
 
 Simpler:
 
 MALLOC_OPTIONS=V grep ^x /dev/null
 
 Thomas.
 

From: "Devon H. O'Dell" <devon.odell@coyotepoint.com>
To: bug-followup@FreeBSD.org,  matthias.andree@gmx.de, 
 Thomas Quinot <thomas@FreeBSD.ORG>,
  tjr@FreeBSD.org
Cc:  
Subject: Re: bin/102299: grep(1) malloc abuse?
Date: Wed, 13 Sep 2006 17:12:26 -0400

 This is a multi-part message in MIME format.
 --------------050600010302050802000303
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Turns out the problem is in libgnuregex. The attached patch solves the 
 problem. I followed the instructions from FREEBSD-upgrade, removing the 
 release tag, and the current vendor branch does not fix this issue.
 
 Attached is a patch that fixes the issue for me and doesn't seem to 
 cause any regressions whatsoever.
 
 Patch also available at http://databits.net/~dho/regex_internal.patch
 
 I'm not sure whether submitting this patch to the vendor is terribly 
 useful, since this is part of glibc in Linux and their malloc doesn't 
 have this behavior.
 
 Kind regards,
 
 Devon H. O'Dell
 
 --------------050600010302050802000303
 Content-Type: text/plain;
  name="regex_internal.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="regex_internal.patch"
 
 --- gnu/lib/libregex/regex_internal.c.old	Wed Sep 13 16:23:37 2006
 +++ gnu/lib/libregex/regex_internal.c	Wed Sep 13 16:22:55 2006
 @@ -1501,9 +1501,17 @@
    int i;
  
    newstate->hash = hash;
 -  err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 -  if (BE (err != REG_NOERROR, 0))
 -    return REG_ESPACE;
 +
 +  /*
 +   * Allocating with a length of 0 has undefined behavior, and we recover from
 +   * this error later on in the function. So don't do it.
 +   */
 +  if (newstate->nodes.nelem != 0) {
 +    err = re_node_set_alloc (&newstate->non_eps_nodes, newstate->nodes.nelem);
 +    if (BE (err != REG_NOERROR, 0))
 +      return REG_ESPACE;
 +  }
 +
    for (i = 0; i < newstate->nodes.nelem; i++)
      {
        int elem = newstate->nodes.elems[i];
 
 --------------050600010302050802000303--
>Unformatted:
