Package: libc6 Version: 2.2.5-11.5 Severity: important Tags: patch Hi, There appears to be a bug in sunrpc/pmap_prot2.c. When xdr_pmaplist() goes to free the pmaplist it does so in such a way that uses memory after it has been free'd. This causes unexpected behaviour, as expected. Some hosts SIGSEGV; some hosts don't care. I checked glibc cvs and the offending code is still there, FYI. A tarball including a test program that demonstrates the problem is attached. -David * sunrpc/pmap_prot2.c (xdr_pmaplist) : When free'ing the pmaplist don't hold on to and use memory that has been free'd. Instead, just save a copy of the value of the pointer we are interested in and use that to update *rp as we traverse the list`. --- sunrpc/pmap_prot2.c.orig Thu Jan 29 09:24:27 2004 +++ sunrpc/pmap_prot2.c Thu Jan 29 10:22:35 2004 @@ -93,7 +93,7 @@ */ bool_t more_elements; int freeing = (xdrs->x_op == XDR_FREE); - struct pmaplist **next = NULL; + struct pmaplist *next = NULL; while (TRUE) { @@ -108,11 +108,14 @@ * before we free the current object ... */ if (freeing) - next = &((*rp)->pml_next); + next = ((*rp)->pml_next); if (!xdr_reference (xdrs, (caddr_t *) rp, (u_int) sizeof (struct pmaplist), (xdrproc_t) xdr_pmap)) return FALSE; - rp = freeing ? next : &((*rp)->pml_next); + if (freeing) + *rp = next; + else + rp = &((*rp)->pml_next); } } -- System Information Debian Release: 3.0-bunk-1 Architecture: i386 Kernel: Linux fumanchu 2.4.21 #8 SMP Tue Aug 26 15:34:09 CEST 2003 i686 Locale: LANG=fr_FR, LC_CTYPE=fr_FR
Attachment:
bug.tar.gz
Description: application/tar-gz