From llwang@infor.ck.tp.edu.tw  Thu Apr 13 23:31:41 2006
Return-Path: <llwang@infor.ck.tp.edu.tw>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D94F716A405;
	Thu, 13 Apr 2006 23:31:41 +0000 (UTC)
	(envelope-from llwang@infor.ck.tp.edu.tw)
Received: from infor.ck.tp.edu.tw (infor.ck.tp.edu.tw [203.64.26.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6600C43D48;
	Thu, 13 Apr 2006 23:31:41 +0000 (GMT)
	(envelope-from llwang@infor.ck.tp.edu.tw)
Received: by infor.ck.tp.edu.tw (Postfix, from userid 1001)
	id 028B217020; Fri, 14 Apr 2006 07:31:40 +0800 (CST)
Message-Id: <20060413233140.028B217020@infor.ck.tp.edu.tw>
Date: Fri, 14 Apr 2006 07:31:40 +0800 (CST)
From: Li-Lun Wang (Leland Wang) <llwang@infor.org>
Reply-To: Li-Lun Wang (Leland Wang) <llwang@infor.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Sean Chittenden <seanc@FreeBSD.org>
Subject: /usr/games/random busy loop under some conditions
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         95715
>Category:       bin
>Synopsis:       [patch] random(6) busy loop under some conditions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 13 23:40:18 GMT 2006
>Closed-Date:    Sat Dec 18 20:29:42 UTC 2010
>Last-Modified:  Sat Dec 18 20:29:42 UTC 2010
>Originator:     Li-Lun Wang (Leland Wang)
>Release:        FreeBSD 6.0-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD Athena.infor.org 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #3: Thu Jan 26 23:44:20 CST 2006 root@Athena.infor.org:/usr/obj/usr/src/sys/Athena i386


	
>Description:
In randomize_fd() in randomize_fd.c, when buf is full and i == buflen in
line 132, it doubles buf in line 151 and tries to read the remaining of
the line in line 157. It sets buflen to len in line 164 (which is also
incorrect), but then buflen is doubled in line 169.

As a result, when this line completes, i <= buflen still holds because
buflen has been doubled after it was set, and thus the condition in line
132 will not be true. The for loop in line 131 decrements bufleft below
zero, making neither the condition in line 117 nor that in line 131 to
hold, no further input line be read, and it loops forever.

Modified files:
	games/random	randomize_fd.c
	
>How-To-Repeat:
$ random -f -
1
12
(the program begins to loop here)
	
>Fix:
--- randomize_fd.c.orig	Thu Apr 13 17:20:56 2006
+++ randomize_fd.c	Thu Apr 13 18:23:18 2006
@@ -153,20 +153,20 @@
 						err(1, "realloc");
 
 					buf = p;
+					buflen *= 2;
 					if (!eof) {
-						len = read(fd, &buf[i], buflen);
+						len = read(fd, &buf[i], buflen - i);
 						if (len == -1)
 							err(1, "read");
 						else if (len == 0) {
 							eof++;
 							break;
 						} else if (len < (ssize_t)(buflen - i))
-							buflen = (size_t)len;
+							buflen = i + (size_t)len;
 
 						bufleft = (int)len;
 					}
 
-					buflen *= 2;
 				}
 			}
 

	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: ache 
State-Changed-When: Fri Apr 14 17:32:51 UTC 2006 
State-Changed-Why:  
Fixed in -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95715 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/95715: [patch] random(6) busy loop under some conditions
Date: Sat, 31 May 2008 16:51:34 +0100 (BST)

 This was fixed in src/games/random/randomize_fd.c 1.3 before 7.x was 
 branched, but has not yet been MFC'd to RELENG_6.
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Sat Dec 18 20:29:40 UTC 2010 
State-Changed-Why:  
Reportedly fixed in all supported branches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95715 
>Unformatted:
