From martin@email.aon.at  Sat Dec  6 12:52:02 2003
Return-Path: <martin@email.aon.at>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7092616A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Dec 2003 12:52:02 -0800 (PST)
Received: from email02.aon.at (WARSL402PIP7.highway.telekom.at [195.3.96.94])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6557643FDD
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Dec 2003 12:51:57 -0800 (PST)
	(envelope-from martin@email.aon.at)
Received: (qmail 266004 invoked from network); 6 Dec 2003 20:51:55 -0000
Received: from m032p001.adsl.highway.telekom.at (HELO gandalf.xyzzy) ([62.47.171.225]) (envelope-sender <martin@email.aon.at>)
          by qmail2rs.highway.telekom.at (qmail-ldap-1.03) with SMTP
          for <FreeBSD-gnats-submit@freebsd.org>; 6 Dec 2003 20:51:55 -0000
Received: from gandalf.xyzzy (localhost.xyzzy [127.0.0.1])
	by gandalf.xyzzy (8.12.9p2/8.12.9) with ESMTP id hB6KptxI054846
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 6 Dec 2003 21:51:55 +0100 (CET)
	(envelope-from martin@gandalf.xyzzy)
Received: (from martin@localhost)
	by gandalf.xyzzy (8.12.9p2/8.12.9/Submit) id hB6KpsTq054845;
	Sat, 6 Dec 2003 21:51:54 +0100 (CET)
	(envelope-from martin)
Message-Id: <200312062051.hB6KpsTq054845@gandalf.xyzzy>
Date: Sat, 6 Dec 2003 21:51:54 +0100 (CET)
From: Martin Birgmeier <martin@email.aon.at>
Reply-To: Martin Birgmeier <martin@email.aon.at>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: various fixes to ppp dumping core
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         59995
>Category:       bin
>Synopsis:       various fixes to ppp dumping core
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 06 13:00:35 PST 2003
>Closed-Date:    Thu Feb 03 10:53:07 GMT 2005
>Last-Modified:  Thu Feb 03 10:53:07 GMT 2005
>Originator:     Martin Birgmeier
>Release:        FreeBSD 4.9-RELEASE i386
>Organization:
MBi at home
>Environment:
System: FreeBSD gandalf.xyzzy 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Sat Nov 8 15:57:06 CET 2003 root@gandalf.xyzzy:/d/6s4e/OBJ/FreeBSD/RELENG_4_9_0_RELEASE/src/sys/GANDALF i386


>Description:
	User ppp likes to dump core, especially when using log substitutions
>How-To-Repeat:
	Start ppp; use logfile (or command) substitutions which expand the
	string (e.g., "HISADDR", which would be expanded to a string like
	"192.168.55.245")
>Fix:

*** usr.sbin/ppp/chap.c.ORIG	Sat Dec  6 21:31:03 2003
--- usr.sbin/ppp/chap.c	Sat Dec  6 21:34:29 2003
***************
*** 954,960 ****
          datalink_AuthNotOk(p->dl);
          break;
      }
!     free(ans);
    }
  
    m_freem(bp);
--- 954,966 ----
          datalink_AuthNotOk(p->dl);
          break;
      }
!     switch (chap->auth.in.hdr.code) {
!       case CHAP_RESPONSE:
!       case CHAP_SUCCESS:
!       case CHAP_FAILURE:
! 	free(ans);
! 	break;
!     }
    }
  
    m_freem(bp);
*** usr.sbin/ppp/command.c.ORIG	Sat Dec  6 21:31:04 2003
--- usr.sbin/ppp/command.c	Sat Dec  6 21:32:06 2003
***************
*** 452,458 ****
        tgt = ntgt;
      }
      if (lnewstr > loldstr)
!       bcopy(word + loldstr, word + lnewstr, ltgt - pos - loldstr);
      bcopy(newstr, word, lnewstr);
    } while ((word = strstrword(word, oldstr)));
  
--- 452,458 ----
        tgt = ntgt;
      }
      if (lnewstr > loldstr)
!       bcopy(word + loldstr, word + lnewstr, ltgt - pos - lnewstr);
      bcopy(newstr, word, lnewstr);
    } while ((word = strstrword(word, oldstr)));
  
*** usr.sbin/ppp/ncp.c.ORIG	Sat Dec  6 21:31:05 2003
--- usr.sbin/ppp/ncp.c	Sat Dec  6 21:36:30 2003
***************
*** 103,115 ****
    ncp->route = NULL;
  
    ncp->cfg.urgent.tcp.nports = ncp->cfg.urgent.tcp.maxports = NDEFTCPPORTS;
!   ncp->cfg.urgent.tcp.port = (u_short *)malloc(NDEFTCPPORTS * sizeof(u_short));
    memcpy(ncp->cfg.urgent.tcp.port, default_urgent_tcp_ports,
           NDEFTCPPORTS * sizeof(u_short));
    ncp->cfg.urgent.tos = 1;
  
    ncp->cfg.urgent.udp.nports = ncp->cfg.urgent.udp.maxports = NDEFUDPPORTS;
!   ncp->cfg.urgent.udp.port = (u_short *)malloc(NDEFUDPPORTS * sizeof(u_short));
    memcpy(ncp->cfg.urgent.udp.port, default_urgent_udp_ports,
           NDEFUDPPORTS * sizeof(u_short));
  
--- 103,115 ----
    ncp->route = NULL;
  
    ncp->cfg.urgent.tcp.nports = ncp->cfg.urgent.tcp.maxports = NDEFTCPPORTS;
!   ncp->cfg.urgent.tcp.port = (u_short *)malloc((NDEFTCPPORTS ? NDEFTCPPORTS : 1) * sizeof(u_short));
    memcpy(ncp->cfg.urgent.tcp.port, default_urgent_tcp_ports,
           NDEFTCPPORTS * sizeof(u_short));
    ncp->cfg.urgent.tos = 1;
  
    ncp->cfg.urgent.udp.nports = ncp->cfg.urgent.udp.maxports = NDEFUDPPORTS;
!   ncp->cfg.urgent.udp.port = (u_short *)malloc((NDEFUDPPORTS ? NDEFUDPPORTS : 1) * sizeof(u_short));
    memcpy(ncp->cfg.urgent.udp.port, default_urgent_udp_ports,
           NDEFUDPPORTS * sizeof(u_short));
  

	This one was hard to track down... and only succeeded using
	dmalloc (ports/devel). I got to learn a nice piece of code!

--
Martin Birgmeier

Vienna
Austria
>Release-Note:
>Audit-Trail:

From: Martin Birgmeier <lvktku8w@aon.at>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/59995: various fixes to ppp dumping core
Date: Fri, 19 Dec 2003 21:13:39 +0100

 Actually, due to FreeBSD's free() and malloc() implementations handling
 zero parameters gracefully, only the patch to command.c is absolutely
 essential.
 
 -- 
 Martin Birgmeier
 
 Vienna
 Austria
 

From: Dan Lukes <dan@obluda.cz>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/59995: various fixes to ppp dumping core
Date: Sun, 12 Sep 2004 20:16:20 +0200

 	But return value of malloc still should be tested against NULL within
 ncp.c code ...
 
 							Dan
 
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Wed Oct 6 06:03:18 GMT 2004 
Responsible-Changed-Why:  
Over to ppp(8) maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59995 
State-Changed-From-To: open->patched 
State-Changed-By: brian 
State-Changed-When: Mon Oct 11 11:16:04 GMT 2004 
State-Changed-Why:  
ncp.c now handles malloc() failures.  See my other email 
(which doesn't seem to have hit gnats yet!) for why the 
proposed command.c change is wrong. 

I don't intend to MFC this 'till after 5.3 is out. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59995 
State-Changed-From-To: patched->closed 
State-Changed-By: brian 
State-Changed-When: Thu Feb 3 10:52:51 GMT 2005 
State-Changed-Why:  
The fixes have been MFC'd 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59995 
>Unformatted:
