From nobody@FreeBSD.org  Thu Mar 21 12:46:49 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9434F37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 21 Mar 2002 12:46:49 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g2LKknv33411;
	Thu, 21 Mar 2002 12:46:49 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200203212046.g2LKknv33411@freefall.freebsd.org>
Date: Thu, 21 Mar 2002 12:46:49 -0800 (PST)
From: Jiu Zheng <jiu@stbernard.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Vsnprintf causes memeory leak 
X-Send-Pr-Version: www-1.0

>Number:         36175
>Category:       bin
>Synopsis:       Vsnprintf causes memeory leak
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 21 12:50:02 PST 2002
>Closed-Date:    Mon Sep 23 00:05:07 PDT 2002
>Last-Modified:  Mon Sep 23 00:05:07 PDT 2002
>Originator:     Jiu Zheng
>Release:        4.x
>Organization:
St Bernard Software
>Environment:
FreeBSD sunrise.rapid.stbernard.com 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Fri Jan 19 09:29:10 PST 2001     jiu@sunrise.ipinc.com:/usr/src/sys/compile/SUNRISE  i386
>Description:
*Each time* vsnprintf is called with str == NULL, 1K of memory is 
allocted and never get freed. This can cause memory leak for certain 
applications.

For example, in the recent Samba 3.0 alpha release, there is such a
line

len = vsnprintf(NULL, 0, fmt, ap);

used to calculate the length of the string. Then a serious memery leak
is caused in winbindd (a deamon as a part of samba package). 

I noticed in revision 1.15 of vsnprintf (CVS) the author said

"revert freeing of memory that gets allocated when str == NULL
(this will be fixed in a better way)"

I am not sure the author really means to allocate 1M of memory
if the function is called in such a way 1000 times in a program.
I think this should get fix ASAP.

Thank you.



>How-To-Repeat:
Just compile and run the following; and see the prog size grows

#include <stdio.h>
#include <stdarg.h>

void do_print(char const *fmt, ...) {
   	int len;
    	va_list ap;
      	va_start(ap, fmt);
      	len = vsnprintf(NULL, 0, fmt, ap);
      	va_end(ap);

}

int main() {
	while(1) do_print("bad\n");
}
>Fix:
The author, assar, must know 
>Release-Note:
>Audit-Trail:

From: Jiu Zheng <jiu@stbernard.com>
To: <FreeBSD-gnats-submit@FreeBSD.org>, <freebsd-bugs@FreeBSD.org>
Cc:  
Subject: Re: bin/36175: Vsnprintf causes memeory leak 
Date: Thu, 21 Mar 2002 12:58:52 -0800 (PST)

 Dear FreeBSD,
 
 I think accidentally made this to "bin" category.
 This is really a problem of a function in libc.
 May be it should be send to "misc"?
 
 I wish you will be able to foward this to a more proper
 place and get the libc maintainers to read it.
 
 Thank you.
 
 Jiu
 
 
 
 On Thu, 21 Mar 2002 FreeBSD-gnats-submit@FreeBSD.org wrote:
 
 > Thank you very much for your problem report.
 > It has the internal identification `bin/36175'.
 > The individual assigned to look at your
 > report is: freebsd-bugs.
 >
 > You can access the state of your problem report at any time
 > via this link:
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=36175
 >
 > >Category:       bin
 > >Responsible:    freebsd-bugs
 > >Synopsis:       Vsnprintf causes memeory leak
 > >Arrival-Date:   Thu Mar 21 12:50:02 PST 2002
 >
 

From: Maxim Konovalov <maxim@macomnet.ru>
To: Jiu Zheng <jiu@stbernard.com>
Cc: freebsd-gnats-submit@FreeBSD.ORG, <assar@FreeBSD.ORG>
Subject: Re: bin/36175: Vsnprintf causes memeory leak 
Date: Fri, 22 Mar 2002 11:42:55 +0300 (MSK)

 Could you please try a patch below (from OpenBSD):
 
 Index: vsnprintf.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libc/stdio/vsnprintf.c,v
 retrieving revision 1.15
 diff -u -r1.15 vsnprintf.c
 --- vsnprintf.c	18 Jun 2001 04:40:52 -0000	1.15
 +++ vsnprintf.c	22 Mar 2002 08:32:29 -0000
 @@ -55,6 +55,7 @@
  {
  	size_t on;
  	int ret;
 +	char dummy;
  	FILE f;
 
  	on = n;
 @@ -62,6 +63,11 @@
  		n--;
  	if (n > INT_MAX)
  		n = INT_MAX;
 +	/* Stdio internals do not deal correctly with zero length buffer */
 +	if (n == 0) {
 +                str = &dummy;
 +                n = 1;
 +	}
  	f._file = -1;
  	f._flags = __SWR | __SSTR;
  	f._bf._base = f._p = (unsigned char *)str;
 
 %%%
 
 -- 
 Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
 phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
 

From: Jiu Zheng <jiu@stbernard.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: <freebsd-gnats-submit@FreeBSD.ORG>, <assar@FreeBSD.ORG>
Subject: Re: bin/36175: Vsnprintf causes memeory leak 
Date: Fri, 22 Mar 2002 11:59:16 -0800 (PST)

 Thank you, Maxim,
 
 The way your patch works is exactly how I fixed problems in my
 applications' source codes - call vsnprintf(&dummy, 1, fmt, ap).
 
 The things is that it is impractical to patch and recompile libc for all
 our development workstations. I just wish this will get fixed soon with
 freebsd release.
 
 Jiu
 
 
 On Fri, 22 Mar 2002, Maxim Konovalov wrote:
 
 >
 > Could you please try a patch below (from OpenBSD):
 >
 > Index: vsnprintf.c
 > ===================================================================
 > RCS file: /home/ncvs/src/lib/libc/stdio/vsnprintf.c,v
 > retrieving revision 1.15
 > diff -u -r1.15 vsnprintf.c
 > --- vsnprintf.c	18 Jun 2001 04:40:52 -0000	1.15
 > +++ vsnprintf.c	22 Mar 2002 08:32:29 -0000
 > @@ -55,6 +55,7 @@
 >  {
 >  	size_t on;
 >  	int ret;
 > +	char dummy;
 >  	FILE f;
 >
 >  	on = n;
 > @@ -62,6 +63,11 @@
 >  		n--;
 >  	if (n > INT_MAX)
 >  		n = INT_MAX;
 > +	/* Stdio internals do not deal correctly with zero length buffer */
 > +	if (n == 0) {
 > +                str = &dummy;
 > +                n = 1;
 > +	}
 >  	f._file = -1;
 >  	f._flags = __SWR | __SSTR;
 >  	f._bf._base = f._p = (unsigned char *)str;
 >
 > %%%
 >
 > --
 > Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
 > phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
 >
 
Responsible-Changed-From-To: freebsd-bugs->billf 
Responsible-Changed-By: billf 
Responsible-Changed-When: Fri May 31 02:16:34 PDT 2002 
Responsible-Changed-Why:  
i'll look into merging openbsd's solution to freebsd pr #26044 contained 
in this PR. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=36175 
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Tue Sep 17 04:54:13 PDT 2002 
State-Changed-Why:  
Fixed in rev. 1.21 src/lib/libc/stdio/vsnprintf.c in -current. 


Responsible-Changed-From-To: billf->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Tue Sep 17 04:54:13 PDT 2002 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36175 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Sep 23 00:02:40 PDT 2002 
State-Changed-Why:  
Fixed in rev. 1.21 and rev. 1.12.2.1 src/lib/libc/stdio/vsnprintf.c 
in -current and -stable. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36175 
>Unformatted:
