From sclawson@cs.utah.edu Tue Apr 13 17:22:08 1999
Return-Path: <sclawson@cs.utah.edu>
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id BEB1515241
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Apr 1999 17:22:07 -0700 (PDT)
	(envelope-from sclawson@cs.utah.edu)
Received: from ibapah.cs.utah.edu (ibapah.cs.utah.edu [155.99.212.83])
	by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id SAA04414
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 13 Apr 1999 18:19:47 -0600 (MDT)
Received: (from sclawson@localhost)
	by ibapah.cs.utah.edu (8.9.1/8.9.1) id SAA17132;
	Tue, 13 Apr 1999 18:19:47 -0600 (MDT)
	(envelope-from sclawson@cs.utah.edu)
Message-Id: <199904140019.SAA17132@ibapah.cs.utah.edu>
Date: Tue, 13 Apr 1999 18:19:47 -0600 (MDT)
From: Stephen Clawson <sclawson@cs.utah.edu>
Reply-To: sclawson@cs.utah.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: ypserv dumps core: bad length given to a strncmp in yp_next_record.
X-Send-Pr-Version: 3.2

>Number:         11122
>Category:       bin
>Synopsis:       ypserv dumps core: bad length given to a strncmp in yp_next_record.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 13 17:20:00 PDT 1999
>Closed-Date:    Tue Apr 13 21:07:24 PDT 1999
>Last-Modified:  Tue Apr 13 21:08:51 PDT 1999
>Originator:     Stephen Clawson
>Release:        FreeBSD 3.0-CURRENT i386 (jan 27, 1999)
>Organization:
University of Utah
>Environment:

       	A dual PII/350 running FreeBSD 3.0-CURRENT as of jan 27, 1999, acting
	as a yp slave for a group of 40+ machines running FreeBSD, NetBSD and 
	Linux.

        It's the same set-up from bin/10970 and bin/10971.

>Description:

     	There's a bug yp_dblookup.c:yp_next_record().  The key passed
in to yp_next_record is compared against all the keys in the database
using strncmp.  However, the length given to strncmp is the size of
the first key, so if the second key is shorter and happens to be
aligned in memory so that accessing past the end of it hits
unallocated memory ypserv will core dump.

    	The sad thing is that there's a check to see if they key lengths 
don't match, but it's _after_ the strncmp. =(  Swapping their places 
nicely fixes the problem.

>How-To-Repeat:

	Run a yp server with a decent number of machines.

>Fix:
	
diff -c -r1.15 yp_dblookup.c
*** yp_dblookup.c       1998/02/11 19:15:32     1.15
--- yp_dblookup.c       1999/04/13 23:51:44
***************
*** 615,622 ****
                if (qhead.cqh_first->dbptr->key == NULL) {
  #endif
                        (dbp->seq)(dbp,&lkey,&ldata,R_FIRST);
!                       while(strncmp((char *)key->data,lkey.data,
!                               (int)key->size) || key->size != lkey.size)
                                if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) {
  #ifdef DB_CACHE
                                        qhead.cqh_first->dbptr->size = 0;
--- 615,623 ----
                if (qhead.cqh_first->dbptr->key == NULL) {
  #endif
                        (dbp->seq)(dbp,&lkey,&ldata,R_FIRST);
!                       while (key->size != lkey.size ||
!                              strncmp((char *)key->data,lkey.data,
!                                      (int)key->size))
                                if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) {
  #ifdef DB_CACHE
                                        qhead.cqh_first->dbptr->size = 0;



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wpaul 
State-Changed-When: Tue Apr 13 21:07:24 PDT 1999 
State-Changed-Why:  

Okay, color me stupid. Supplied change has been made to both -current 
and -stable branches. I can't believe I actually did that. 

-Bill 
>Unformatted:
