[586] in Athena Bugs
[comp.bugs.4bsd: Bug found in lib/libc/gen/getwd.c on 4.3 BSD Vax 11/780]
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Sun Aug 7 11:37:28 1988
Date: Sun, 7 Aug 88 11:36:32 EDT
From: Ken Raeburn <raeburn@ATHENA.MIT.EDU>
To: bugs@ATHENA.MIT.EDU
------- Forwarded Message
From: <raeburn@ATHENA.MIT.EDU>
Date: Sun, 7 Aug 88 02:24:21 EDT
To: raeburn@ATHENA.MIT.EDU
Path: bloom-beacon!think!ames!ubvax!vsi1!altnet!uunet!munnari!otc!metro!basser!usage!cad!pcng
From: pcng@cad.jmrc.eecs.unsw.oz (Also known as Andrew)
Newsgroups: comp.bugs.4bsd
Subject: Bug found in lib/libc/gen/getwd.c on 4.3 BSD Vax 11/780
Keywords: malloc, opendir, closedir, readdir
Message-ID: <314@snail.cad.jmrc.eecs.unsw.oz>
Date: 27 Jul 88 02:06:51 GMT
Organization: JMRC, School of Electrical Engineering, UNSW, Australia
Lines: 67
VERSION:
getwd.c 5.2 (Berkeley) 3/9/86
CLIENT MACHINE:
VAX 11/780
CLIENT OPERATING SYSTEM:
BSD UNIX 4.3 Release ???
SYNOPSIS:
Misplaced library call closedir() in getwd().
DESCRIPTION:
The problem arises when the function prepend() is trying to access the
file name which is a segment of memory allocated within the opendir()
function call. This segment, however, is no longer valid if closedir()
function call is issued.
REPEAT-BY:
This bug can only be demonstrated with your own malloc package instead
of the standard one. The malloc package has to be able to either erase
the memory to be freed with junk data or release the memory back to
the system (via sbrk(2)).
FIX:
Just swap two lines.
*** /usr/src/lib/libc/gen/getwd.c Mon Mar 10 14:49:35 1986
--- getwd.c Wed Jul 27 09:52:24 1988
***************
*** 85,92 ****
strcpy(dptr, dir->d_name);
lstat(curdir, &dd);
} while(dd.st_ino != cino || dd.st_dev != cdev);
- closedir(dirp);
pnptr = prepend("/", prepend(dir->d_name, pnptr));
}
if (*pnptr == '\0') /* current dir == root dir */
strcpy(pathname, "/");
--- 85,93 ----
strcpy(dptr, dir->d_name);
lstat(curdir, &dd);
} while(dd.st_ino != cino || dd.st_dev != cdev);
pnptr = prepend("/", prepend(dir->d_name, pnptr));
+ /* Now is save to close the directory pointer */
+ closedir(dirp);
}
if (*pnptr == '\0') /* current dir == root dir */
strcpy(pathname, "/");
---------------------
_ _. __ _,
--- /_)_(__/) )_(_)_ [ Also know as Andrew ]
/ /|
' |/
----------------
Po Cheung NG ISD: +61 2 697-4056
JMRC, School of Elec. Eng. and Comp. Sci., STD: (02) 697-4056
The University of New South Wales, FAX: +61 2 662-2087
PO Box 1, Kensington, ARPA: pcng%cad.jmrc.eecs.unsw.oz.au@uunet.uu.net
Sydney, NSW 2033, JANET: cad.jmrc.eecs.unsw.oz!pcng@ukc
AUSTRALIA. ACSnet: pcng@cad.jmrc.eecs.unsw.oz
UUCP: {enea,hplabs,mcvax,prlb2,uunet,ubc-vision,ukc}!munnari!cad.jmrc.eecs.unsw.oz!pcng
------- End Forwarded Message
