Subject: lib/13292: infinite loop possible in cgetmatch()
To: None <>
From: None <>
List: netbsd-bugs
Date: 06/23/2001 12:03:41
>Number:         13292
>Category:       lib
>Synopsis:       infinite loop possible in cgetmatch()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 23 12:02:01 PDT 2001
>Originator:     Dean Huxley
>Release:        NetBSD 1.5.1_BETA2
NetBSD jalapeno 1.5.1 NetBSD 1.5.1 (JALAPENO) #1: Fri Jun 22 05:18:04 MDT 2001     dean@jalapeno:/usr/src/sys/arch/i386/compile/JALAPENO i386
I'm seeing lpd processes taking 100% cpu.  The problem results from a
pointer bug in cgetmatch.  With the current logic, it's possible that
the *bp pointer points to buf-1 and one of the for(;;) loops never
breaks out.
Compile and run this code:

#include <stdlib.h>

        char *buf="Xlp|foo:lp=/dev/null:";
        printf("%d\n", cgetmatch(buf+1,""));

In src/lib/libc/gen/getcap.c, in function cgetmatch, add:

        if(*name == '\0')

after the _DIAGASSERT lines.