From nobody@FreeBSD.org  Wed Sep  3 21:01:52 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 465601065672
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Sep 2008 21:01:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 360F68FC36
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Sep 2008 21:01:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m83L1pIS011668
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 3 Sep 2008 21:01:51 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m83L1piE011666;
	Wed, 3 Sep 2008 21:01:51 GMT
	(envelope-from nobody)
Message-Id: <200809032101.m83L1piE011666@www.freebsd.org>
Date: Wed, 3 Sep 2008 21:01:51 GMT
From: Jeff Blank <jfb@mr-happy.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: comms/qpage segmentation fault due to freeing already-freed memory
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127075
>Category:       ports
>Synopsis:       comms/qpage segmentation fault due to freeing already-freed memory
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    stefan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 03 21:10:01 UTC 2008
>Closed-Date:    Sat Oct 18 18:51:41 UTC 2008
>Last-Modified:  Sat Oct 18 18:51:41 UTC 2008
>Originator:     Jeff Blank
>Release:        FreeBSD 7.0-RELEASE
>Organization:
>Environment:
FreeBSD zorak.tc.mtu.edu 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #0: Mon Jul 14 17:18:38 EDT 2008     root@zorak.tc.mtu.edu:/usr/obj/usr/src/sys/ULE_POLLING  i386

>Description:
When qpage in daemon mode receives a SIGHUP, it frees malloc-ed memory before rereading its configuration file. The problem occurs on line 1410 of config.c, where a pointer to a service declaration is freed. The memory at that address is not a separate allocation for each PAGER struct, and furthermore, the entire service list has been freed by the time free_pagers() is called. Calling free() on a pointer that points to unallocated memory appears to cause a segmentation fault.
>How-To-Repeat:
Build and install ports/qpage. No tunables are present in the Makefile. Install a working qpage.cf in /usr/local/etc (perhaps just using the qpage-example.cf provided). It is not necessary to have a modem available as long as the configuration file can be edited to reference an existing /dev/cua* device that is not otherwise in use ("modem=/dev/XXX" in qpage.cf). Execute '/usr/local/etc/rc.d/qpage.sh start'. At this point, there should be one qpage process running. Send the process a SIGHUP, wait a moment, and send another SIGHUP. qpage will have exited with a segmentation fault (logged to /var/log/messages by a standard FreeBSD configuration).
>Fix:
attached patch

Patch attached with submission follows:

--- config.c.orig	Fri Jan  1 22:14:50 1999
+++ config.c	Wed May  4 16:28:49 2005
@@ -1407,7 +1407,6 @@
 		my_free(list->name);
 		my_free(list->text);
 		my_free(list->pagerid);
-		my_free(list->service);
 		free(list);
 	}
 }


>Release-Note:
>Audit-Trail:

From: Stefan Walter <stefan@freebsd.org>
To: Jeff Blank <jfb@mr-happy.com>
Cc: GNATS <FreeBSD-gnats-submit@FreeBSD.org>
Subject: Re: ports/127075: comms/qpage segmentation fault due to freeing
	already-freed memory
Date: Sat, 18 Oct 2008 10:29:09 +0200

 Hi Jeff,
 
 I wasn't able to put together a minimal working configuration file.
 Starting qpage always results in "Error reading configuration file". Can
 you provide a minimal configuration that allows me to test it without a
 modem?
 
 Regards,
 Stefan
Responsible-Changed-From-To: freebsd-ports-bugs->stefan 
Responsible-Changed-By: stefan 
Responsible-Changed-When: Sat Oct 18 18:41:44 UTC 2008 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127075 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/127075: commit references a PR
Date: Sat, 18 Oct 2008 18:45:29 +0000 (UTC)

 stefan      2008-10-18 18:45:19 UTC
 
   FreeBSD ports repository
 
   Modified files:
     comms/qpage          Makefile 
   Added files:
     comms/qpage/files    patch-config.c 
   Log:
   - Fix segmentation faults on SIGHUP.
   - Assign maintainership to submitter.
   
   PR:             127075, 127827
   Submitted by:   Jeffrey Blank <jfb@mr-happy.com>
   
   Revision  Changes    Path
   1.26      +2 -2      ports/comms/qpage/Makefile
   1.1       +12 -0     ports/comms/qpage/files/patch-config.c (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: stefan 
State-Changed-When: Sat Oct 18 18:51:15 UTC 2008 
State-Changed-Why:  
Patch committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127075 
>Unformatted:
