Package: libc6
Version: 2.2.5-11.5
Severity: important
Tags: patch
Hi,
There appears to be a bug in sunrpc/pmap_prot2.c. When
xdr_pmaplist() goes to free the pmaplist it does so in such a way
that uses memory after it has been free'd. This causes
unexpected behaviour, as expected. Some hosts SIGSEGV; some
hosts don't care. I checked glibc cvs and the offending code is
still there, FYI. A tarball including a test program that
demonstrates the problem is attached.
-David
* sunrpc/pmap_prot2.c (xdr_pmaplist) : When free'ing the pmaplist
don't hold on to and use memory that has been free'd. Instead,
just save a copy of the value of the pointer we are interested in
and use that to update *rp as we traverse the list`.
--- sunrpc/pmap_prot2.c.orig Thu Jan 29 09:24:27 2004
+++ sunrpc/pmap_prot2.c Thu Jan 29 10:22:35 2004
@@ -93,7 +93,7 @@
*/
bool_t more_elements;
int freeing = (xdrs->x_op == XDR_FREE);
- struct pmaplist **next = NULL;
+ struct pmaplist *next = NULL;
while (TRUE)
{
@@ -108,11 +108,14 @@
* before we free the current object ...
*/
if (freeing)
- next = &((*rp)->pml_next);
+ next = ((*rp)->pml_next);
if (!xdr_reference (xdrs, (caddr_t *) rp,
(u_int) sizeof (struct pmaplist),
(xdrproc_t) xdr_pmap))
return FALSE;
- rp = freeing ? next : &((*rp)->pml_next);
+ if (freeing)
+ *rp = next;
+ else
+ rp = &((*rp)->pml_next);
}
}
-- System Information
Debian Release: 3.0-bunk-1
Architecture: i386
Kernel: Linux fumanchu 2.4.21 #8 SMP Tue Aug 26 15:34:09 CEST 2003 i686
Locale: LANG=fr_FR, LC_CTYPE=fr_FR
Attachment:
bug.tar.gz
Description: application/tar-gz