netbsd-bugs: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src

Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
List: netbsd-bugs
Date: 07/24/2006 17:55:02

The following reply was made to PR bin/34030; it has been noted by GNATS.

From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
To: christos@zoulas.com (Christos Zoulas)
Cc: gnats-bugs@NetBSD.org
Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
Date: Tue, 25 Jul 2006 02:50:12 +0900

 hi,
 
 > 
 > On Jul 19, 10:47pm, th-nozaki@netwrk.co.jp (Takehiko NOZAKI) wrote:
 > -- Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
 > 
 > | thanks for your fix.
 > | but i think it's insufficient for ``paranoia'' :-).
 > | cvs_password should be filled with zero.
 > 
 > Will do, thanks!
 > 
 > christos
 > 
 
 oops, another memory leak introduced by my previous patch.
 
 get_cvs_password() may return not only cvs_password,
 but pointer malloc'ed by scramble(), password_entry_operation().
 
 i think just simply strdup cvs_password is match better.
 
 
 Index: gnu/dist/xcvs/src/client.c
 ===================================================================
 RCS file: /cvsroot/src/gnu/dist/xcvs/src/client.c,v
 retrieving revision 1.8
 diff -u -r1.8 client.c
 --- gnu/dist/xcvs/src/client.c	18 Jul 2006 16:27:19 -0000	1.8
 +++ gnu/dist/xcvs/src/client.c	24 Jul 2006 17:36:40 -0000
 @@ -3936,11 +3936,8 @@
  	send_to_server("\012", 1);
  
          /* Paranoia. */
 -	if (no_passwd)
 -	{
 -	    memset (password, 0, strlen (password));
 -	    free (password);
 -	}
 +	memset (password, 0, strlen (password));
 +	free (password);
  # else /* ! AUTH_CLIENT_SUPPORT */
  	error (1, 0, "INTERNAL ERROR: This client does not support pserver authentication");
  # endif /* AUTH_CLIENT_SUPPORT */
 Index: gnu/dist/xcvs/src/login.c
 ===================================================================
 RCS file: /cvsroot/src/gnu/dist/xcvs/src/login.c,v
 retrieving revision 1.3
 diff -u -r1.3 login.c
 --- gnu/dist/xcvs/src/login.c	19 Jul 2006 14:28:03 -0000	1.3
 +++ gnu/dist/xcvs/src/login.c	24 Jul 2006 17:36:42 -0000
 @@ -569,7 +569,6 @@
      memset (typed_password, 0, strlen (typed_password));
      free (typed_password);
  
 -    memset (cvs_password, 0, strlen (cvs_password));
      free (cvs_password);
      free (cvsroot_canonical);
      cvs_password = NULL;
 @@ -592,7 +591,7 @@
         context, then assume they have supplied the correct, scrambled
         password. */
      if (cvs_password)
 -	return cvs_password;
 +	return xstrdup (cvs_password);
  
      if (getenv ("CVS_PASSWORD") != NULL)
      {
 
 
 very truly yours.
 --
 Takehiko NOZAKI <tnozaki@NetBSD.org>