[606] in Zephyr_Bugs
zephyr server crashing due to memory error
daemon@ATHENA.MIT.EDU (E. Jay Berkenbilt)
Thu Jul 6 11:29:29 1995
Date: Thu, 6 Jul 1995 11:26:04 -0400
From: "E. Jay Berkenbilt" <ejb@ERA.COM>
To: bug-zephyr@MIT.EDU
Remember that realloc() reserves the right to move memory and copy to
a new location. There is some logic in class.c in the zephyr server
that calls realloc but has as pointer pointing into the old array. In
the normal case when realloc() can succeed in enlarging the dynamic
memory at the same address, this is fine, but sometimes realloc()
returns a moved pointer. I believe this fix will be sufficient. You
may want to check other occurences of realloc() in the code to make
sure this logic error is not repeated.
BTW, I found this with purify. It is a terrific tool worth the cost.
(Too bad they have such an obnoxious license policy. If only there
were a free tool that could come close....) Purify detected an array
bounds write assigning to *clientp at the end of this routine. I
looked at the code and spotted the incorrect use of realloc().
On an unrelated note, the Makefile.in in server forgets to include
$(DEBUG) in the link line for zephyrd. It is desirable and even
required in some cases to pass the -g along at link time if you are
debugging. Also, some compilers or linkers can make use of -O as
well.... Just as $(DEBUG) after $(CC) here. I didn't check other
Makefile.in's but I'd suggest checking them all when adding $(DEBUG)
here.
By the way, I am very impressed with this zephyr release. The
packaging, builtin support for non-kerberos, portability, etc. are all
vast improvements over previous public releases.
At this point, I'm aware of only one more problem, and that is that
zwgc prints output from the regcomp routine. I'll look into it and
possibly send a patch. Then I have to get back to my real
work.... :-)
I've enclosed a simple patch containing my two fixes.
Jay B
--
E. Jay Berkenbilt (ejb@ERA.COM) | Member, League for Programming Freedom
Engineering Research Associates | lpf@uunet.uu.net, http://www.lpf.org
===========================================================================
--- server/class.c.dist Fri Jun 30 18:11:03 1995
+++ server/class.c Thu Jul 6 11:11:03 1995
@@ -319,6 +319,8 @@
new_size * sizeof(Client *));
if (newclients == NULL)
return ENOMEM;
+ /* realloc may move the pointer */
+ clientp = newclients + (clientp - triplet->clients);
triplet->clients = newclients;
triplet->clients_size = new_size;
}
--- server/Makefile.in.dist Sat Jul 1 15:52:55 1995
+++ server/Makefile.in Thu Jul 6 11:26:53 1995
@@ -31,7 +31,7 @@
all: zephyrd
zephyrd: $(OBJS) $(BUILDTOP)/lib/zephyr/libzephyr.a @ETDEP@
- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+ $(CC) $(DEBUG) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
zsrv_err.c zsrv_err.h: zsrv_err.et
$(COMPILE_ET) $(srcdir)/zsrv_err.et
