Subject: bin/8870: double free in ftp
To: None <gnats-bugs@gnats.netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: netbsd-bugs
Date: 11/24/1999 16:53:15
>Number: 8870
>Category: bin
>Synopsis: double free in ftp
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Nov 24 16:33:01 1999
>Last-Modified:
>Originator: Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release: NetBSD-current Nov 19, 1999
>Environment:
System: NetBSD capsicum.wsrcc.com 1.4O NetBSD 1.4O (WSRCC) #0: Fri Nov 19 10:16:20 PST 1999 root@capsicum.wsrcc.com:/v/src/netbsd/NetBSD-current/usr/src/sys/arch/i386/compile/WSRCC i386
>Description:
ftp will try to free the same memory twice.
>How-To-Repeat:
ftp somewhere, do an xfer and let the connection time out
type ^D
notice that the new malloc()/free() catches the double free().
ftp> get 6.1-i386.iso
local: 6.1-i386.iso remote: 6.1-i386.iso
227 Entering Passive Mode (209,155,82,18,59,17)
150 Opening BINARY mode data connection for '6.1-i386.iso' (674164736 bytes).
100% |*************************************| 642 MB 98.27 KB/s 00:00 ETA
226 Transfer complete.
674164736 bytes received in 1:51:39 (98.27 KB/s)
[ let timeout for several 10's of minutes ]
ftp> ^D
421 Timeout (300 seconds): closing control connection.
ftp in free(): warning: chunk is already free.
>Fix:
>Audit-Trail:
>Unformatted: