From cagney@tpgi.com.au  Wed Aug 27 21:52:09 1997
Received: from oberon.tpgi.com.au (root@oberon.tpgi.com.au [203.12.160.2])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA07471
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 27 Aug 1997 21:52:02 -0700 (PDT)
Received: from b1.tpgi.com.au (mel-ppp-083.tpgi.com.au [203.12.163.83]) by oberon.tpgi.com.au (8.7.5/8.7.3) with ESMTP id OAA10300 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Aug 1997 14:51:43 +1000 (EST)
Received: (from cagney@localhost) by b1.tpgi.com.au (8.8.5/8.7.3) id OAA15671; Thu, 28 Aug 1997 14:11:19 +1000 (EST)
Message-Id: <199708280411.OAA15671@b1.tpgi.com.au>
Date: Thu, 28 Aug 1997 14:11:19 +1000 (EST)
From: Andrew Cagney <cagney@tpgi.com.au>
Reply-To: cagney@tpgi.com.au
To: FreeBSD-gnats-submit@freebsd.org
Subject: vasprintf (3) corrupts memory
X-Send-Pr-Version: 3.2

>Number:         4403
>Category:       bin
>Synopsis:       vasprintf (3) corrupts memory
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 27 22:00:00 PDT 1997
>Closed-Date:    Thu Aug 28 14:42:48 PDT 1997
>Last-Modified:  Mon Sep  1 09:10:01 PDT 1997
>Originator:     Andrew Cagney
>Release:        FreeBSD 2.1.7-RELEASE i386
>Organization:
>Environment:

	Probably also in FreeBSD 2.2.2.

>Description:

	vasprintf.c:vasprintf() unconditionally appends a null
	character to its buffer.  Since vasprintf.c:writehook()
	allows the buffer to completely fill (left == 0), that store
	can blat memory beyound the buffers bounds.

>How-To-Repeat:

	Combine FreeBSD with GDB/mmalloc and wait for gdb to panic?

	I suspect vasprintf (... "-128-characters-") will do it.

>Fix:
	
	1 - Change writehook() to always keep one location in reserve.

or	2 - (better?) re-order the tail of vasprintf so that it reads:

	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
	if (*str == NULL)	/* failed to realloc it to actual size */
		*str = h.base;	/* return oversize buffer */
	(*str)[h.size - h.left] = '\0';
	return (ret);
>Release-Note:
>Audit-Trail:

From: Tim Vanderhoek <hoek@hwcn.org>
To: Andrew Cagney <cagney@tpgi.com.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, GNATS Management <gnats@FreeBSD.ORG>,
        freebsd-bugs@hub.freebsd.org
Subject: Re: bin/4403: vasprintf (3) corrupts memory
Date: Thu, 28 Aug 1997 02:01:39 -0400 (EDT)

 [dup and prev. fixed pr -- close]
 
 [Out of curiosity, is it correct to keep the cc to gnats
 management here?  I typically delete it, but people typically
 delete this otherwise.]
 
 On Thu, 28 Aug 1997, Andrew Cagney wrote:
 
 > >Number:         4403
 > >Category:       bin
 > >Synopsis:       vasprintf (3) corrupts memory
 [...]
 > >Environment:
 > 
 > 	Probably also in FreeBSD 2.2.2.
 
 Yes.  But not anything beyond.  You could have tried getting a
 new copy of vasprintf.c from -current.  The only reason it's in
 2.2.2 is because people (committers?) don't fix pr's when they're
 submitted.  Kudos to those who have recently taken the time to
 close as many pr's as possible.
 
 
 > 	vasprintf.c:vasprintf() unconditionally appends a null
 > 	character to its buffer.  Since vasprintf.c:writehook()
 > 	allows the buffer to completely fill (left == 0), that store
 > 	can blat memory beyound the buffers bounds.
 
 This bug has been fixed.  The pr can be closed.
 
 
 > >How-To-Repeat:
 > 
 > 	Combine FreeBSD with GDB/mmalloc and wait for gdb to panic?
 
 The original pr for this bug includes a how-to-repeat .c program.
 The pr is closed, of course.  :)
 
 
 > or	2 - (better?) re-order the tail of vasprintf so that it reads:
 > 
 > 	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
 > 	if (*str == NULL)	/* failed to realloc it to actual size */
 > 		*str = h.base;	/* return oversize buffer */
 > 	(*str)[h.size - h.left] = '\0';
 > 	return (ret);
 
 No, that could still overrun memory if realloc() fails and 
 h.left == 0.
 
 
 --
 Outnumbered?  Maybe.  Outspoken?  Never!
 tIM...HOEk
 
State-Changed-From-To: open->closed 
State-Changed-By: jlemon 
State-Changed-When: Thu Aug 28 14:42:48 PDT 1997 
State-Changed-Why:  

Dup of PR 3451.  Fixed in vasprintf.c, rev 1.7, rev 1.3.4.1. 

From: Andrew Cagney <cagney@tpgi.com.au>
To: hoek@hwcn.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, GNATS Management <gnats@FreeBSD.ORG>,
        freebsd-bugs@hub.freebsd.org
Subject: Re: bin/4403: vasprintf (3) corrupts memory
Date: Fri, 29 Aug 1997 14:28:34 +1000 (WET)

 Excerpts from mail: 28-Aug-97 Re: bin/4403: vasprintf (3).. Tim
 Vanderhoek@hwcn.org (1560*)
 
 > > 	Probably also in FreeBSD 2.2.2.
 
 > Yes.  But not anything beyond.  You could have tried getting a
 > new copy of vasprintf.c from -current.  The only reason it's in
 > 2.2.2 is because people (committers?) don't fix pr's when they're
 > submitted.  Kudos to those who have recently taken the time to
 > close as many pr's as possible.
 
 FYI,  I'm not interested in current, just `stable'.  Unfortunatly, it
 sounds like stable isn't as stable as one would like :-(.
 
 I'll think about adding a hack to libiberty, forcing it to use the FSF
 version of vasprintf on any freebsd-2.[12].* machine.
 
 Thanks for sorting out the FreeBSD end.
 
 			Andrew

From: Peter Wemm <peter@spinner.dialix.com.au>
To: Andrew Cagney <cagney@tpgi.com.au>
Cc: hoek@hwcn.org, FreeBSD-gnats-submit@FreeBSD.ORG,
        GNATS Management <gnats@FreeBSD.ORG>, freebsd-bugs@hub.freebsd.org
Subject: Re: bin/4403: vasprintf (3) corrupts memory 
Date: Tue, 02 Sep 1997 00:04:59 +0800

 Andrew Cagney wrote:
 > Excerpts from mail: 28-Aug-97 Re: bin/4403: vasprintf (3).. Tim
 > Vanderhoek@hwcn.org (1560*)
 > 
 > > > 	Probably also in FreeBSD 2.2.2.
 > 
 > > Yes.  But not anything beyond.  You could have tried getting a
 > > new copy of vasprintf.c from -current.  The only reason it's in
 > > 2.2.2 is because people (committers?) don't fix pr's when they're
 > > submitted.  Kudos to those who have recently taken the time to
 > > close as many pr's as possible.
 > 
 > FYI,  I'm not interested in current, just `stable'.  Unfortunatly, it
 > sounds like stable isn't as stable as one would like :-(.
 
 It was backported to 2.2-stable ages ago...  It is rev 1.7 in 3.0-current 
 and 1.3.4.1 in 2.2.
 
 > I'll think about adding a hack to libiberty, forcing it to use the FSF
 > version of vasprintf on any freebsd-2.[12].* machine.
 
 Be careful.. If it's the version I'm thinking of, I wouldn't be so quick 
 to do this.  One version I've seen around scans for % fields in the string 
 to estimate the size and does a malloc and vsprintf.  This scares the hell 
 out of me...
 
 > Thanks for sorting out the FreeBSD end.
 
 You can get the current 2.2 version and it should just drop into both 2.1
 .x and 2.2.[12].
 
 > 			Andrew
 > 
 
 Cheers,
 -Peter
 
 
>Unformatted:
