From ben@scientia.demon.co.uk  Sat Jun  9 09:27:42 2001
Return-Path: <ben@scientia.demon.co.uk>
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP id B1E8837B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  9 Jun 2001 09:27:40 -0700 (PDT)
	(envelope-from ben@scientia.demon.co.uk)
Received: from platinum.shef.vinosystems.com ([192.168.91.37] ident=root)
	by scientia.demon.co.uk with esmtp (Exim 3.22 #1)
	id 158laM-0000pw-00 for FreeBSD-gnats-submit@freebsd.org;
	Sat, 09 Jun 2001 17:27:38 +0100
Received: (from ben@localhost)
	by platinum.shef.vinosystems.com (8.11.3/8.11.3) id f59GRch80702;
	Sat, 9 Jun 2001 17:27:38 +0100 (BST)
	(envelope-from ben)
Message-Id: <200106091627.f59GRch80702@platinum.shef.vinosystems.com>
Date: Sat, 9 Jun 2001 17:27:38 +0100 (BST)
From: ben@FreeBSD.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ypbind uses memory after freeing it
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27990
>Category:       bin
>Synopsis:       ypbind uses memory after freeing it
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ben
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 09 09:30:01 PDT 2001
>Closed-Date:    Mon Jul 9 21:10:16 BST 2001
>Last-Modified:  Mon Jul 09 21:10:38 BST 2001
>Originator:     
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD platinum.shef.vinosystems.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Sun May 20 14:21:28 BST 2001 ben@platinum.scientia.demon.co.uk:/usr/obj/usr/src/sys/PLATINUM i386

(Rather old, but I don't see any recent commits to this file.)

>Description:

Maybe I'm missing something but this code just looks plain Wrong to me:

	for(ypdb=ypbindlist; ypdb; ypdb=ypdb->dom_pnext) {
		if (READFD > 0 && FD_ISSET(READFD, &fdsr)) {
			handle_children(ypdb);
			if (children == (MAX_CHILDREN - 1))
				checkwork();
		}
	}

Given this code in the handle_children() function:

	switch(ypdb->dom_default) {
	case 0:
		...
		free(ypdb);			<< HERE
		domains--;
		return;

After returning the main() function will do 'ypdb=ypdb->dom_pnext' after
'ypdb' has been freed.

>How-To-Repeat:

Not quite sure.  I noticed it while I had one machine on my network
using the old NIS domain after I'd changed the rest to a new one, maybe
that's related.

>Fix:

This has fixed the problem for me on -stable, not sure if it applies to
current too or not though.  If someone can just review it I can commit
it.

--- ypbind.c.orig	Sat Jun  9 17:03:47 2001
+++ ypbind.c	Sat Jun  9 17:04:32 2001
@@ -394,7 +394,7 @@
 	int i;
 	DIR *dird;
 	struct dirent *dirp;
-	struct _dom_binding *ypdb;
+	struct _dom_binding *ypdb, *next;
 
 	/* Check that another ypbind isn't already running. */
 	if ((yplockfd = (open(YPBINDLOCK, O_RDONLY|O_CREAT, 0444))) == -1)
@@ -493,7 +493,8 @@
 				syslog(LOG_WARNING, "select: %m");
 			break;
 		default:
-			for(ypdb=ypbindlist; ypdb; ypdb=ypdb->dom_pnext) {
+			for(ypdb=ypbindlist; ypdb; ypdb=next) {
+				next = ypdb->dom_pnext;
 				if (READFD > 0 && FD_ISSET(READFD, &fdsr)) {
 					handle_children(ypdb);
 					if (children == (MAX_CHILDREN - 1))

>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: ben@FreeBSD.org
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/27990: ypbind uses memory after freeing it 
Date: Wed, 13 Jun 2001 21:21:44 -0700

 ben@FreeBSD.org writes:
 > >Fix:
 > 
 > This has fixed the problem for me on -stable, not sure if it applies to
 > current too or not though.  If someone can just review it I can commit
 > it.
 
 It applies to -current.  I've tried it and it works fine.  I also
 agree with your analysis of the problem.
 
 > 
 > --- ypbind.c.orig	Sat Jun  9 17:03:47 2001
 > +++ ypbind.c	Sat Jun  9 17:04:32 2001
 > @@ -394,7 +394,7 @@
 >  	int i;
 >  	DIR *dird;
 >  	struct dirent *dirp;
 > -	struct _dom_binding *ypdb;
 > +	struct _dom_binding *ypdb, *next;
 >  
 >  	/* Check that another ypbind isn't already running. */
 >  	if ((yplockfd = (open(YPBINDLOCK, O_RDONLY|O_CREAT, 0444))) == -1)
 > @@ -493,7 +493,8 @@
 >  				syslog(LOG_WARNING, "select: %m");
 >  			break;
 >  		default:
 > -			for(ypdb=ypbindlist; ypdb; ypdb=ypdb->dom_pnext) {
 > +			for(ypdb=ypbindlist; ypdb; ypdb=next) {
 > +				next = ypdb->dom_pnext;
 >  				if (READFD > 0 && FD_ISSET(READFD, &fdsr)) {
 >  					handle_children(ypdb);
 >  					if (children == (MAX_CHILDREN - 1))
 > 
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 > 
 > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > with "unsubscribe freebsd-bugs" in the body of the message
 > 

From: Ben Smithurst <ben@FreeBSD.org>
To: audit@FreeBSD.org
Cc: phk@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/27990: ypbind uses memory after freeing it
Date: Fri, 15 Jun 2001 12:56:02 +0100

 [ cc'd to phk as my mentor for src commits... ]
 
 could someone please review this fairly simple patch for me?  If someone
 could test it on -current too that would be great, I don't have a
 -current machine at the moment.  It works fine on -stable though.  It's
 had one review already but a few more can't hurt.
 
 http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27990
 
 -- 
 Ben Smithurst / ben@FreeBSD.org

From: Poul-Henning Kamp <phk@critter.freebsd.dk>
To: Ben Smithurst <ben@FreeBSD.org>
Cc: audit@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/27990: ypbind uses memory after freeing it 
Date: Fri, 15 Jun 2001 14:00:48 +0200

 Looks good to my eyes, but I'm not able to test it.
 
 Poul-Henning
 
 In message <20010615125602.A31582@comp.leeds.ac.uk>, Ben Smithurst writes:
 >[ cc'd to phk as my mentor for src commits... ]
 >
 >could someone please review this fairly simple patch for me?  If someone
 >could test it on -current too that would be great, I don't have a
 >-current machine at the moment.  It works fine on -stable though.  It's
 >had one review already but a few more can't hurt.
 >
 >http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27990
 >
 >-- 
 >Ben Smithurst / ben@FreeBSD.org
 >
 
 -- 
 Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
 phk@FreeBSD.ORG         | TCP/IP since RFC 956
 FreeBSD committer       | BSD since 4.3-tahoe    
 Never attribute to malice what can adequately be explained by incompetence.
Responsible-Changed-From-To: freebsd-bugs->ben 
Responsible-Changed-By: ben 
Responsible-Changed-When: Sat Jun 23 19:05:55 BST 2001 
Responsible-Changed-Why:  
Committed to -current, will MFC in 2 weeks if no problems arise. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27990 
State-Changed-From-To: open->closed 
State-Changed-By: ben 
State-Changed-When: Mon Jul 9 21:10:16 BST 2001 
State-Changed-Why:  
committed in -current and 4-stable. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27990 
>Unformatted:
