From ahobson@computer.eng.mindspring.net  Mon Apr  6 19:00:36 1998
Received: from computer.eng.mindspring.net (computer.eng.mindspring.net [207.69.183.4])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA26924
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 6 Apr 1998 19:00:36 -0700 (PDT)
          (envelope-from ahobson@computer.eng.mindspring.net)
Received: (from ahobson@localhost)
          by computer.eng.mindspring.net (8.8.8/8.8.4)
	  id WAA29450; Mon, 6 Apr 1998 22:00:05 -0400 (EDT)
Message-Id: <199804070200.WAA29450@computer.eng.mindspring.net>
Date: Mon, 6 Apr 1998 22:00:05 -0400 (EDT)
From: ahobson@mindspring.com
Reply-To: ahobson@mindspring.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: bug in lib/libc/stdio/mktemp.c
X-Send-Pr-Version: 3.2

>Number:         6232
>Category:       bin
>Synopsis:       possible reference to unitialized variable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr  6 19:10:01 PDT 1998
>Closed-Date:    Tue Apr 7 05:45:52 PDT 1998
>Last-Modified:  Tue Apr  7 05:46:41 PDT 1998
>Originator:     Andrew Hobson
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
MindSpring
>Environment:

mktemp.c version 1.8

>Description:

  mktemp(3) will occasionally coredump.

>How-To-Repeat:

The following program will coredump after a few iterations.

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>

int
main(int argc, char *argv[])
{
  char ts[] = "/home/ahobson/src/tmp/IncomingXXXXXX";
  char s[256];
  char *r;
  int i;

  for (i=0; i < 1000; i++) {
    strncpy(s, ts, 256);
    fprintf(stderr, "mktemp(%s): ", s);
    if (NULL == (r=mktemp(s))) {
      fprintf(stderr, "NULL!!\n");
      exit(1);
    } else {
      fprintf(stderr, "%s\n", r);
    }
    if (0 > creat(r, 0644)) {
      fprintf(stderr, "Cannot creat(%s): %s\n", r, strerror(errno));
    }
 } 

 exit(0);
}

>Fix:
	
  This fixes the problem.  I'm not sure it's the right fix.

--- /usr/src/lib/libc/stdio/mktemp.c	Sun Apr  5 22:36:52 1998
+++ mktemp.c	Mon Apr  6 21:57:41 1998
@@ -121,6 +121,8 @@
 		*trv-- = c;
 	}
 
+	start = trv;
+
 	/*
 	 * check the target directory; if you have six X's and it
 	 * doesn't exist this runs for a *very* long time.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: bde 
State-Changed-When: Tue Apr 7 05:45:52 PDT 1998 
State-Changed-Why:  
Already fixed about a month ago in rev.1.9 of mktemp.c. 
>Unformatted:
