Subject: bin/566: sed drops core
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: John Brezak <brezak@ch.hp.com>
List: netbsd-bugs
Date: 11/09/1994 09:20:04
>Number: 566
>Category: bin
>Synopsis: sed can dump core due garbage in malloc'ed struct
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: gnats-admin (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Nov 9 09:20:02 1994
>Originator: John Brezak
>Organization:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
John Brezak UUCP: uunet!apollo.hp!brezak
Hewlett Packard/Apollo Internet: brezak@ch.hp.com
300 Apollo Drive Phone: (508) 436-4915
Chelmsford, Massachusetts Fax: (508) 436-5103
>Release: 1.0beta
>Environment:
System: NetBSD sussex 1.0_BETA NetBSD 1.0_BETA (SUSSEX) #87: Wed Nov 2 01:03:10 EST 1994 brezak@sussex:/u1/home/john/src/netbsd/sys/arch/i386/compile/SUSSEX i386
>Description:
sed dropped core when trying to build kerberos5 beta4 patch3 . Upon examination
I found that sed was crashing with this traceback:
#0 0x4857 in applies (cp=0xe120) at /u0/src/netbsd/usr.bin/sed/process.c:288
#1 0x3f32 in process () at /u0/src/netbsd/usr.bin/sed/process.c:102
#2 0x3617 in main (argc=1, argv=0xf7bfd780)
The cp contained a structure that had garbage pointers in it. In this case
a1 was garbage.
(gdb) p *cp
$2 = {next = 0xe1e0, a1 = 0x1000003b, a2 = 0x58000004, t = 0x48000002 "", u = {
c = 0x10000020, s = 0x10000020, y = 0x10000020 "", fd = 268435488},
code = 125 '}', nonsel = 0, inrange = 0}
>How-To-Repeat:
Build kerberos5 beta4.3. It has a sed script in the util/ss directory that
caused sed to dump core.
>Fix:
The simplest fix is to initialize malloc'ed memory to 0 in
/usr/src/usr.bin/sed/misc.c .
*** misc.c.orig Fri Feb 4 05:15:24 1994
--- misc.c Wed Nov 9 11:51:33 1994
***************
*** 62,67 ****
--- 62,68 ----
if ((p = malloc(size)) == NULL)
err(FATAL, "%s", strerror(errno));
+ memset(p, 0, size);
return (p);
}
>Audit-Trail:
>Unformatted: