From davidn@nserver.usn.blaze.net.au  Thu Dec 12 00:39:22 1996
Received: from nserver.blaze.net.au ([203.17.53.4])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id AAA29807
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Dec 1996 00:39:14 -0800 (PST)
Received: (from davidn@localhost) by nserver.blaze.net.au (8.8.4/8.6.9) id TAA02811; Thu, 12 Dec 1996 19:39:00 +1100 (EST)
Message-Id: <199612120839.TAA02811@nserver.blaze.net.au>
Date: Thu, 12 Dec 1996 19:39:00 +1100 (EST)
From: davidn@blaze.net.au
Reply-To: davidn@blaze.net.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: Bug in src/libc/gen/getttyent.c, use of freed memory
X-Send-Pr-Version: 3.2

>Number:         2196
>Category:       bin
>Synopsis:       Bug in src/libc/gen/getttyent.c, use of freed memory
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 12 00:40:03 PST 1996
>Closed-Date:    Fri Dec 13 00:53:43 MET 1996
>Last-Modified:  Fri Dec 13 00:54:42 MET 1996
>Originator:     David Nugent - davidn@blaze.net.au
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Unique Computing, Melbourne, Australia
>Environment:

	Any FreeBSD system, most obvious with phkmalloc and
	/etc/malloc.conf -> AJ. Not obvious otherwise since
	freed memory will not be overwritten.

	This fix should go into the 2.2 tree as well as -current
	since the problem is present there too.

>Description:

	src/lib/libc/gen/getttyent.c

	endttyent() frees memory which is referenced by a pointer
	returned by getttynam(), so the call basically returns
	garbage if malloc() is configured to overwrite freed
	memory.

>How-To-Repeat:

	Running mgetty+sendfax, no term set by mgetty, login
	calls getttynam() to retrieve the term type for the
	current tty, but gets back garbage of malloc "junk fill"
	feature is enabled.

	Basically, getttynam() does not work and is buggy.

>Fix:
	
	Don't free memory in endttyent(). Not really tidy, but
	there's no other simple solution other than requiring
	the application to call endttyent() instead of calling
	it in getttynam() [which would be inconsistent behaviour
	for get*nam() style routines].

	The patch below #defines away the memory free in endttyent().
	This will not result in rampant memory leak since this memory
	is reused if needed by subsequent calls into the *ttyent
	routines.

--- getttyent.c.orig	Tue Oct 22 09:56:23 1996
+++ getttyent.c	Thu Dec 12 19:27:30 1996
@@ -207,11 +207,17 @@
 {
 	int rval;
 
+#if 0
+	/*
+         * Can't free this because getttynam()
+	 * may still be referencing it
+	 */
 	if (line) {
 		free(line);
 		line = NULL;
 		lbsize = 0;
 	}
+#endif
 	if (tf) {
 		rval = (fclose(tf) != EOF);
 		tf = NULL;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Fri Dec 13 00:53:43 MET 1996 
State-Changed-Why:  

>Unformatted:
