From jeremyp@gsmx07.alcatel.com.au Thu Jul 22 21:16:31 1999
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id E95C615697
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Thu, 22 Jul 1999 21:16:16 -0700 (PDT)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40354>; Fri, 23 Jul 1999 13:54:48 +1000
Message-Id: <99Jul23.135448est.40354@border.alcanet.com.au>
Date: Fri, 23 Jul 1999 14:13:03 +1000
From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
Reply-To: peter.jeremy@alcatel.com.au
To: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Memory leak in init(8)
X-Send-Pr-Version: 3.2

>Number:         12769
>Category:       bin
>Synopsis:       Memory leak in init(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 22 21:20:00 PDT 1999
>Closed-Date:    Fri Jul 23 01:30:55 PDT 1999
>Last-Modified:  Fri Jul 23 01:32:10 PDT 1999
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:

	cvs-cur 5500

>Description:

	If init is unable to parse the getty or window command line, it
	doesn't free the memory it allocated to contain the argv pointers
	(allocated at 1 more than half the length of the command line).

>How-To-Repeat:

	Found by code inspection.

	An /etc/ttys containing the following line:
tty99 "                                                              " cons25 on secure
	should leak 128 bytes on every SIGHUP.  Enough similar lines and
	enough SIGHUPs show a detectable increase in process size.

>Fix:

Index: sbin/init/init.c
===================================================================
RCS file: /home/CVSROOT/./src/sbin/init/init.c,v
retrieving revision 1.33
diff -u -r1.33 init.c
--- init.c	1999/06/18 09:08:09	1.33
+++ init.c	1999/07/23 03:53:39
@@ -935,8 +935,10 @@
 	register char **argv = (char **) malloc(((strlen(command) + 1) / 2 + 1)
 						* sizeof (char *));
 
-	if ((argv[argc++] = strk(command)) == 0)
-		return 0;
+	if ((argv[argc++] = strk(command)) == 0) {
+		free(argv);
+		return (NULL);
+	}
 	while ((argv[argc++] = strk((char *) 0)) != NULL)
 		continue;
 	return argv;
@@ -1044,7 +1046,7 @@
 		return (0);
 	}
 	if (sp->se_window) {
-			free(sp->se_window);
+		free(sp->se_window);
 		free(sp->se_window_argv_space);
 		free(sp->se_window_argv);
 	}

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Fri Jul 23 01:30:55 PDT 1999 
State-Changed-Why:  
Suggested patch applied in both CURRENT and STABLE, thanks! 
>Unformatted:
