From alan@agora.rdrop.com  Sat Feb  7 22:42:59 2004
Return-Path: <alan@agora.rdrop.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A97916A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  7 Feb 2004 22:42:59 -0800 (PST)
Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DF8E843D1D
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  7 Feb 2004 22:42:58 -0800 (PST)
	(envelope-from alan@agora.rdrop.com)
Received: from agora.rdrop.com (202@localhost [127.0.0.1])
	by agora.rdrop.com (8.12.7/8.12.7) with ESMTP id i186gwNE089486
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 7 Feb 2004 22:42:58 -0800 (PST)
	(envelope-from alan@agora.rdrop.com)
Received: (from alan@localhost)
	by agora.rdrop.com (8.12.7/8.12.9/Submit) id i186gw7s089485;
	Sat, 7 Feb 2004 22:42:58 -0800 (PST)
Message-Id: <200402080642.i186gw7s089485@agora.rdrop.com>
Date: Sat, 7 Feb 2004 22:42:58 -0800 (PST)
From: Alan Batie <alan@agora.rdrop.com>
Reply-To: Alan Batie <alan@agora.rdrop.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: realloc occasionally corrupts end of realloc'd block
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         62515
>Category:       i386
>Synopsis:       realloc occasionally corrupts end of realloc'd block
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 07 22:50:17 PST 2004
>Closed-Date:    Sat Feb 14 04:01:07 PST 2004
>Last-Modified:  Sat Feb 14 04:01:07 PST 2004
>Originator:     Alan Batie
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
RainDrop Laboratories
>Environment:
System: FreeBSD agora.rdrop.com 4.7-STABLE FreeBSD 4.7-STABLE #0: Mon Feb 3 00:57:16 PST 2003 root@agora.rdrop.com:/usr/src/freebsd/src/sys/compile/AGORA i386


>Description:
	I have a web application to allow users to change their password
	and a few other account management activities.  I recently added
	support for updating street address info in a MySQL database using
	ODBC calls (iodbc).  After doing so, occasionally data in another
	flat text file database would be corrupted.  After much hair pulling,
	I found the following in code that implements a perl style "join":

	Debug output:

	    Feb  7 20:17:50 agora acctmgmt:     buf: 'login:User Name:503-nnn-nnnn:w'
	    Feb  7 20:17:50 agora acctmgmt:     realloc buf: 'login:User Name:503-nnn-nnnn:w:Mar-2004:61051 '

	Code segment:
	    syslog(LOG_WARNING, "    buf: '%s'", buf);
		    len += strlen(stack[i]);
		    buf = realloc(buf, len + 2);
	    syslog(LOG_WARNING, "    realloc buf: '%s'", buf);

	After adding code to detect the condition, it changed slightly:

	    Feb  7 21:43:14 agora acctmgmt: realloc failed!
	    Feb  7 21:43:14 agora acctmgmt:     before(0x0807b480)='login:User Name:503-nnn-nnnn:w'
	    Feb  7 21:43:14 agora acctmgmt:     after(0x0807b4c0)='login:User Name:503-nnn-nnnn:'


>How-To-Repeat:
	
>Fix:

	I've worked around the problem by saving the buffer before
	the realloc and recopying it if need be:

	    if (first) {
		before = NULL;
		blen = 0;
	    } else {
		before = strdup(buf);
		blen = strlen(buf);
	    }
	    buf = (char *) realloc(buf, len + 2);
	    alen = strlen(buf);
	    if (blen != 0 && alen != blen) {
		syslog(LOG_WARNING, "realloc failed!");
		syslog(LOG_WARNING, "    before(0x%08x)='%s'", before, before);
		syslog(LOG_WARNING, "    after(0x%08x)='%s'", buf, buf);
		strcpy(buf, before);
	    }
>Release-Note:
>Audit-Trail:

From: Alan Batie <alan@batie.org>
To: freebsd-gnats-submit@FreeBSD.org, alan@agora.rdrop.com
Cc:  
Subject: Re: i386/62515: realloc occasionally corrupts end of realloc'd block
Date: Fri, 13 Feb 2004 11:24:26 -0800

 This is a cryptographically signed message in MIME format.
 
 --------------ms080700000202030403010905
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Never mind.  The problem turned out to be the "len += strlen(stack[i])".  It 
 adds length for the segment being added.  The len+2 in the realloc was intended 
 to capture space for the separator character and null terminator space, but 
 there's a sepchar for each segment to account for.  Ooops.
 
 --------------ms080700000202030403010905
 Content-Type: application/x-pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJAzCC
 AtwwggJFoAMCAQICAwtL/zANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
 ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
 bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDMxMjA5MjExMDU4WhcNMDQxMjA4MjExMDU4
 WjBTMQ4wDAYDVQQEEwVCYXRpZTENMAsGA1UEKhMEQWxhbjETMBEGA1UEAxMKQWxhbiBCYXRp
 ZTEdMBsGCSqGSIb3DQEJARYOYWxhbkBiYXRpZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQC7RTzUwxjdbUdBupuOCxcoxEyIjm/kioBvw2LWZZXRjA30VWRebvT3AiYC
 67dSo8Jf2JctE61aZyCBaH2JPomwAN1m3/gfGPTfSlSf9ZTzxa9dGGXojU/wcIU+CVzIQsRY
 DhELjgiHPTBBrYgRGhAi4Mj3gEDXiKddoMUjsmT8bXZyQGV48NllA1iRR/gMORwS3EMZGtL9
 gLnK40BVMnCeeLKuYW6AguwzjStscyXZWYHZ2w0YxAjqj/S7wY9GS/RDSY9HfeuLZ0uY0U2K
 mUpYT7tk7aAruwL/48sa/RE51e65DwETXwowS0lcO2e0wNDu2Eos0K5xDxqTMx7lFc77AgMB
 AAGjKzApMBkGA1UdEQQSMBCBDmFsYW5AYmF0aWUub3JnMAwGA1UdEwEB/wQCMAAwDQYJKoZI
 hvcNAQEEBQADgYEAROZRmnvcTB52Gk9GRHW0jGWjtxXjF8OMgaMi5f/XXf94WL6EgC5+aEc+
 fqlbY9tXhax04Y/GKzPRzb74NFC246bPs/DtCmeQCRlN5e2tc/F3q40HlwpfzSW3UwPC/N+C
 HUvd+GENj0vUgquQb/BwioD6FQjUJ8vOj8mYt8vWmyEwggLcMIICRaADAgECAgMLS/8wDQYJ
 KoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5n
 IChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5n
 IENBMB4XDTAzMTIwOTIxMTA1OFoXDTA0MTIwODIxMTA1OFowUzEOMAwGA1UEBBMFQmF0aWUx
 DTALBgNVBCoTBEFsYW4xEzARBgNVBAMTCkFsYW4gQmF0aWUxHTAbBgkqhkiG9w0BCQEWDmFs
 YW5AYmF0aWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0U81MMY3W1H
 QbqbjgsXKMRMiI5v5IqAb8Ni1mWV0YwN9FVkXm709wImAuu3UqPCX9iXLROtWmcggWh9iT6J
 sADdZt/4Hxj030pUn/WU88WvXRhl6I1P8HCFPglcyELEWA4RC44Ihz0wQa2IERoQIuDI94BA
 14inXaDFI7Jk/G12ckBlePDZZQNYkUf4DDkcEtxDGRrS/YC5yuNAVTJwnniyrmFugILsM40r
 bHMl2VmB2dsNGMQI6o/0u8GPRkv0Q0mPR33ri2dLmNFNiplKWE+7ZO2gK7sC/+PLGv0ROdXu
 uQ8BE18KMEtJXDtntMDQ7thKLNCucQ8akzMe5RXO+wIDAQABoyswKTAZBgNVHREEEjAQgQ5h
 bGFuQGJhdGllLm9yZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAETmUZp73Ewe
 dhpPRkR1tIxlo7cV4xfDjIGjIuX/113/eFi+hIAufmhHPn6pW2PbV4WsdOGPxisz0c2++DRQ
 tuOmz7Pw7QpnkAkZTeXtrXPxd6uNB5cKX80lt1MDwvzfgh1L3fhhDY9L1IKrkG/wcIqA+hUI
 1CfLzo/JmLfL1pshMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UE
 BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD
 VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
 cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJ
 KoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAw
 MFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z
 dWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ
 c3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1
 BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwL
 B+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZ
 cmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYy
 aHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYD
 VR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODAN
 BgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82
 L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr3
 94fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEBMGkwYjEL
 MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq
 BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMLS/8wCQYFKw4D
 AhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQw
 MjEzMTkyNDI2WjAjBgkqhkiG9w0BCQQxFgQUh6oiN8ScFVu/6pHhHubOtxO4TO8wUgYJKoZI
 hvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
 BwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJa
 QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
 d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwtL/zB6BgsqhkiG9w0BCRACCzFr
 oGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMLS/8w
 DQYJKoZIhvcNAQEBBQAEggEABM7u6VZ1LUZXOZSavvro9yEMuytKJkql/zCHcevjAp2CAP2E
 6U2VJXbkTyL5PRE5u+7UCHVc+1RwxIsAtWzVlVm7i3+hnowTaKKZAE+7S201WWVHfZnQxC4L
 EU7unuIEG3OW3JzyVoB7w1NI+quvBJpOcDd3npaJ2znLTqBrSll6g/2rFe6gJVKWezx5Ezcp
 xcN57dpYoCpfUOgIKViFcnQHoSkb+2lXQsV0r+Oh1EbpZyr2h+R06T8+nL8vW9WxiS9sXclu
 TqCycpMQuwq9CFyAAwGB2vFAj06LrTCsPEv0B1Z6wpZT66edclyzACLmuqJjzWBrWJXdN0EP
 ncLBeQAAAAAAAA==
 --------------ms080700000202030403010905--
State-Changed-From-To: open->closed 
State-Changed-By: simon 
State-Changed-When: Sat Feb 14 03:59:34 PST 2004 
State-Changed-Why:  
Submitter has located the problem. 
Thanks for letting us know. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=62515 
>Unformatted:
