>Number:         2747
>Category:       bin
>Synopsis:       rdist uses free()d memory
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 10 11:20:01 1996
>Last-Modified:
>Originator:     Matt Beal
>Organization:
UMIACS, University of Maryland
>Release:        1.2_BETA
>Environment:
    @(#)NetBSD 1.2_BETA (DILBERT) #51: Sat Aug 24 20:30:02 EDT 1996
    beal@dilbert.umiacs.umd.edu:/usr/src/sys/arch/i386/compile/DILBERT
>Description:
	Rdist creates a linked list of hosts to rdist to, and iterates
	through it as it rdists. Each struct in the list is freed as the
	list is iterated through, but the actual struct is accesses
	immediately after it is freed.

	This is extremely bad programming practice, whether or not it can
	be relied on.
>How-To-Repeat:
	Bug exists in everything derived from 4.4lite2.
>Fix:
diff -u -r1.1 /usr/src/usr.bin/rdist/gram.y
--- 1.1 1996/09/09 23:19:27
+++ gram.y      1996/09/09 23:20:17
@@ -373,11 +373,11 @@
        struct subcmd *subcmds;
 {
        register struct cmd *c, *prev, *nc;
-       register struct namelist *h;
+       register struct namelist *h, *nexth;
 
        files = expand(files, E_VARS|E_SHELL);
        hosts = expand(hosts, E_ALL);
-       for (h = hosts; h != NULL; free(h), h = h->n_next) {
+       for (h = hosts; h != NULL; nexth = h->n_next, free(h), h = nexth) {
                /*
                 * Search command list for an update to the same host.
                 */
>Audit-Trail:
>Unformatted: