Subject: lib/13292: infinite loop possible in cgetmatch()
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dean@huxley.org>
List: netbsd-bugs
Date: 06/23/2001 12:03:41
>Number: 13292
>Category: lib
>Synopsis: infinite loop possible in cgetmatch()
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jun 23 12:02:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Dean Huxley
>Release: NetBSD 1.5.1_BETA2
>Organization:
none
>Environment:
NetBSD jalapeno 1.5.1 NetBSD 1.5.1 (JALAPENO) #1: Fri Jun 22 05:18:04 MDT 2001 dean@jalapeno:/usr/src/sys/arch/i386/compile/JALAPENO i386
>Description:
I'm seeing lpd processes taking 100% cpu. The problem results from a
pointer bug in cgetmatch. With the current logic, it's possible that
the *bp pointer points to buf-1 and one of the for(;;) loops never
breaks out.
>How-To-Repeat:
Compile and run this code:
#include <stdlib.h>
main()
{
char *buf="Xlp|foo:lp=/dev/null:";
printf("%d\n", cgetmatch(buf+1,""));
}
>Fix:
In src/lib/libc/gen/getcap.c, in function cgetmatch, add:
if(*name == '\0')
return(-1);
after the _DIAGASSERT lines.
>Release-Note:
>Audit-Trail:
>Unformatted: