From jin@portnoy.lbl.gov  Fri Mar 31 23:04:46 2006
Return-Path: <jin@portnoy.lbl.gov>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 10D6516A420
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 31 Mar 2006 23:04:46 +0000 (UTC)
	(envelope-from jin@portnoy.lbl.gov)
Received: from portnoy.lbl.gov (portnoy.lbl.gov [131.243.2.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1C3443D5A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 31 Mar 2006 23:04:44 +0000 (GMT)
	(envelope-from jin@portnoy.lbl.gov)
Received: from portnoy.lbl.gov (localhost [127.0.0.1])
	by portnoy.lbl.gov (8.13.6/8.13.6) with ESMTP id k2VN4iCg009796
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 31 Mar 2006 15:04:44 -0800 (PST)
Received: (from jin@localhost)
	by portnoy.lbl.gov (8.13.6/8.13.6/Submit) id k2VN4iNB009795;
	Fri, 31 Mar 2006 15:04:44 -0800 (PST)
Message-Id: <200603312304.k2VN4iNB009795@portnoy.lbl.gov>
Date: Fri, 31 Mar 2006 15:04:44 -0800 (PST)
From: Jin Guojun (DSD staff) <jin@george.lbl.gov>
Reply-To: jin@george.lbl.gov
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: bsdtar core dump on non-existing symlink
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         95175
>Category:       bin
>Synopsis:       bsdtar(1) core dump on non-existing symlink
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kientzle
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 31 23:10:19 GMT 2006
>Closed-Date:    Sun Jul 30 06:36:22 GMT 2006
>Last-Modified:  Sun Jul 30 06:36:22 GMT 2006
>Originator:     Jin Guojun (DSD staff)
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD 6.0-RELEASE FreeBSD 


	FreeBSD 6.0 and 6.1-BETA4
>Description:
	using command "tar -ch " to do archive. If there is empty
	(non existing) symlink, tar will coredump due to no NULL pointer
	checking.

>How-To-Repeat:
	cd /tmp
	mkdir test
	ln -s /mnt/onwhere test
	tar -chf /dev/null test
	coredump ...
>Fix:

	This happens in function write_hierarchy()
	in /usr/src/usr.bin/tar/write.c file:
        case 'L':
                /* 'L': Do descend through a symlink to dir. */
                /* 'L': Archive symlink to file as file. */
L 631           lst = tree_current_stat(tree);
                break;
        default:
 
...
 
L650    if (new_enough(bsdtar, name, lst)) {
                write_entry(bsdtar, a, lst, name,
                    tree_current_pathlen(tree),
                    tree_current_access_path(tree));
        }

-------------

Line 631 returns NULL to lst when the symlink points to non existing file
or directory. This is then passed to all codes at block start L650.
None of this routines check if the argument "lst" is NULL.
Eventually, it coredump in write_entry() function when *st (passed from lst)
is referenced.

lst must be checked before line 650 and proper branch needs to be taken
when lst is NULL (should be treated as regular symlink).
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kientzle 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Apr 1 03:13:15 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95175 
State-Changed-From-To: open->patched 
State-Changed-By: kientzle 
State-Changed-When: Sun Apr 2 18:42:44 UTC 2006 
State-Changed-Why:  
Fixed in -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95175 
State-Changed-From-To: patched->closed 
State-Changed-By: kientzle 
State-Changed-When: Sun Jul 30 06:35:58 UTC 2006 
State-Changed-Why:  
Fix MFCed to 6-Stable: 2006-07-30 06:32:14 UTC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95175 
>Unformatted:
