>Number:         7246
>Category:       bin
>Synopsis:       Bogus free() in ELF ldd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 25 23:20:00 1999
>Last-Modified:
>Originator:     Mark Brinicombe
>Organization:
Network Computer Inc
>Release:        NetBSD-current 1999/03/25
>Environment:
	
System: NetBSD p2.devlab.nc.com 1.3I-NCOS NetBSD 1.3I-NCOS (P2) #1: Wed Mar 17 16:37:17 PST 1999 mark@p2.devlab.nc.com:/usr/export/mark/NCOS/os-src/sys/arch/i386/compile/P2 i386


>Description:
	The ELF ldd binary performs a free() call on pointer that it did not
	obtain via malloc().
	The path in _rtld_objmain is set to argv[0] and _rtld_objmain is
	added to the _rtld_objtail list. However all paths in the Obj_Entry
	structures are freed via free() resulting in a free() call with
	the argv[0] pointer.

>How-To-Repeat:
	Account the free() verse malloc() calls in ldd.
	
>Fix:
	1. Make a copy of *argv with strup()
	2. Modify the code so that it will not try and free the path for
	_rtld_objmain

	The solution for (1) is given.

*** ldd/ldd_elf/ldd.c.orig	Thu Mar 25 23:04:51 1999
--- ldd/ldd_elf/ldd.c	Thu Mar 25 23:10:26 1999
***************
*** 107,113 ****
  	    continue;
  	}
  
! 	_rtld_objmain->path = *argv;
  	_rtld_objmain->mainprog = true;
  	_rtld_digest_dynamic(_rtld_objmain);
  
--- 107,113 ----
  	    continue;
  	}
  
! 	_rtld_objmain->path = strdup(*argv);
  	_rtld_objmain->mainprog = true;
  	_rtld_digest_dynamic(_rtld_objmain);
  
>Audit-Trail:
>Unformatted: