Subject: bin/34540: bogus free() in ftp(1)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <b1ff@fr33.b33r.net>
List: netbsd-bugs
Date: 09/16/2006 22:20:00
>Number:         34540
>Category:       bin
>Synopsis:       bogus free() in ftp(1)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Sep 16 22:20:00 +0000 2006
>Originator:     Mathieu
>Release:        3.0.1
>Organization:
>Environment:
NetBSD sal.lan 3.0.1 NetBSD 3.0.1 (SPECIFIC) #0: Sun Jun 18 09:16:08 EDT 2006  mathieu@sal.lan:/usr/src/sys/arch/i386/compile/SPECIFIC i386
>Description:
Hi. I noticed a small bug in the ftp client with the "no_proxy" env var handling that causes a "ftp in free(): warning: modified (chunk-) pointer." message. But no real problems apart from a memory leak.

>How-To-Repeat:
Only happens if there are more than one field in no_proxy and that the matched one ain't the last field.

>Fix:
--- fetch.c.orig	2006-09-16 17:35:55.000000000 -0400
+++ fetch.c	2006-09-16 18:09:47.000000000 -0400
@@ -612,13 +612,13 @@
 				/* check URL against list of no_proxied sites */
 			no_proxy = getoptionvalue("no_proxy");
 			if (! EMPTYSTRING(no_proxy)) {
-				char *np, *np_copy;
+				char *np, *np_copy, *np_iter;
 				long np_port;
 				size_t hlen, plen;
 
-				np_copy = ftp_strdup(no_proxy);
+				np_iter = np_copy = ftp_strdup(no_proxy);
 				hlen = strlen(host);
-				while ((cp = strsep(&np_copy, " ,")) != NULL) {
+				while ((cp = strsep(&np_iter, " ,")) != NULL) {
 					if (*cp == '\0')
 						continue;
 					if ((np = strrchr(cp, ':')) != NULL) {