NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/44888: [patch] libedit read.c: fix logic

>Number:         44888
>Category:       lib
>Synopsis:       [patch] libedit read.c: fix logic
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 20 22:45:00 +0000 2011
>Originator:     Lucius Windschuh
>Release:        FreeBSD 9-CURRENT
does not apply, using libedit on FreeBSD
wpa_supplicant segfaults on my FreeBSD machine since NetBSD's libedit readline 
support was imported.

Digging deeper, libedit's el_push in read.c looked suspicious (here in 
FreeBSD's version, but with the same logic):

public void

el_push(EditLine *el, const char *str)


  c_macro_t *ma = &el->el_chared.c_macro;

  if (str != NULL && ma->level + 1 < EL_MAXMACRO) {


    if ((ma->macro[ma->level] = el_strdup(str)) != NULL)







It is strange to me that ma->level is not permanently incremented, only in the 
edge case where strdup returns NULL (which happens in my case).

So, I propose the fix blow, which not only fixes the segfaults for me, but also 
makes the logic consistent to me:
ma->level is incremented iff strdup() succeeds, reflecting the macro level 

The fix to the NetBSD code is similar, the bug exists since read.c version 1.30.
How to reproduce (at least on FreeBSD with enabled malloc debugging): 

$ wpa_cli

> disco

> reass

(wait until more output is generated)

(press enter)

-> segfault

Backtrace from gdb:
(gdb)  bt
#0  0x281f05f7 in kill () from /lib/
#1  0x281f0516 in raise () from /lib/
#2  0x281eefca in abort () from /lib/
#3  0x281704f3 in malloc_usable_size () from /lib/
#4  0x28171fda in malloc_usable_size () from /lib/
#5  0x28172f5a in free () from /lib/
#6  0x280aaf02 in read_pop (ma=0xbfbfe22c) at read.c:311
#7  0x280adb41 in el_getc (el=0x2844e300, 
"ZD&#65533;\v(<&#65533;\v(\002\201D(&#65533;&#65533;&#65533;\017\203\n(") at 
#8  0x280b704f in el_gets (el=0x2844e300, nread=0xbfbfe4c8) at read.c:239
#9  0x280a830f in readline (p=0x805002a "> ") at 
#10 0x0804c4de in main (argc=Error accessing memory address 0x5: Bad address.

Index: read.c


--- read.c      (Revision 220736)

+++ read.c      (Arbeitskopie)

@@ -217,9 +217,10 @@


        if (str != NULL && ma->level + 1 < EL_MAXMACRO) {


-               if ((ma->macro[ma->level] = el_strdup(str)) != NULL)

+               if ((ma->macro[ma->level] = el_strdup(str)) != NULL) {

+                       ma->level--;


-               ma->level--;

+               }




Home | Main Index | Thread Index | Old Index