Subject: bin/34030: double-free bugs in CVS 1.11.22
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <tnozaki@NetBSD.org>
List: netbsd-bugs
Date: 07/18/2006 14:20:01
>Number: 34030
>Category: bin
>Synopsis: double-free bugs in CVS 1.11.22
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jul 18 14:20:01 +0000 2006
>Originator: Takehiko NOZAKI
>Release: 3.99.22 i386
>Organization:
>Environment:
NetBSD spooky.example.com 3.99.22 NetBSD 3.99.22 (SPOOKY) #0: Tue Jul 18 00:43:31 JST 2--6 root@spooky.example.com:/usr/obj/sys/arhc/i386/compile/SPOOKY i386
$ cvs -v
Concurrent Version System (CVS) 1.11.22 (client/server)
>Description:
char pointer variable `cvs_password'(login.c:33)
twice free by auth_server()(client.c:3940) and login()(login.c:572).
this bug introduced following Coverity fix.
http://cvsweb.netbsd.org/bsdweb.cgi/src/gnu/dist/xcvs/src/client.c.diff?r1=1.5&r2=1.6
for more detailed infomation, see attached patch.
>How-To-Repeat:
$ cvs -d :pserver:foo@bar.example.com:2401/cvsroot login
Logging in to :pserver:foo@bar.example.com:2401/cvsroot
CVS password:
cvs in free(): warning: chunk is already free.
>Fix:
Index: gnu/dist/xcvs/src/client.c
===================================================================
RCS file: /cvsroot/src/gnu/dist/xcvs/src/client.c,v
retrieving revision 1.7
diff -u -r1.7 client.c
--- gnu/dist/xcvs/src/client.c 23 Jun 2006 22:44:11 -0000 1.7
+++ gnu/dist/xcvs/src/client.c 18 Jul 2006 07:33:06 -0000
@@ -3937,7 +3937,8 @@
/* Paranoia. */
memset (password, 0, strlen (password));
- free (password);
+ if (no_passwd == 1) /* password == get_cvs_password() */
+ free (password);
# else /* ! AUTH_CLIENT_SUPPORT */
error (1, 0, "INTERNAL ERROR: This client does not support pserver authentication");
# endif /* AUTH_CLIENT_SUPPORT */