Bugtraq mailing list archives
Re: fts...(improved patch)
From: stas () SONET CRIMEA UA (Stas Kisel)
Date: Fri, 14 May 1999 14:37:03 +0400
From: Jordan Ritter <jpr5 () darkridge com> OpenBSD definitely has the same problem. last thing I remember thinking was that it was dying because realloc() was failing (as the fts stuff realloc()'s memory as the path grows) ..
fts realloc (pathlen+~1000b) of memory only, so realloc succeds. The bug is in the adjusting pointers after realloc(). Next day after sending patch I've found another circumstanses that triggered similar bug in fts. This time some pointers were adjusted which did not belong to realloc()-ed memory chunk. Improved patch is below. Sorry for inconvenience. Probably there are some similar bugs in fts code or patch. Please let me know if you'll see any. \bye Stas ----------------------------- patch ---------------------------------- --- /usr/src/lib/libc/gen/fts.c.orig Tue May 11 13:37:49 1999 +++ /usr/src/lib/libc/gen/fts.c Fri May 14 14:02:58 1999 @@ -740,8 +740,26 @@ * If had to realloc the path, adjust the addresses for the rest * of the tree. */ - if (adjaddr) + if (adjaddr){ fts_padjust(sp, adjaddr); + /* Adjust the list, because we want to return it robust. */ +/* fix p->fts_path and p->fts_accpath + p->fts_accpath can be: + either cur->fts_path (adjust, because cur is already adjusted) + either p->fts_path (adjust) + either p->fts_name (do not adjust) + I'm also almost sure that in first case cur->fts_path=p->fts_path... +*/ +#define ADJUST1(p) if((p)->fts_path != adjaddr){ \ + if((p)->fts_accpath != (p)->fts_name){ \ + (p)->fts_accpath = \ + (char *)adjaddr + ((p)->fts_accpath - (p)->fts_path);\ + } \ + (p)->fts_path = adjaddr; \ +} + for (p = head; p; p = p->fts_link) + ADJUST1(p); + } /* * If not changing directories, reset the path back to original @@ -974,18 +992,20 @@ { FTSENT *p; -#define ADJUST(p) { \ - (p)->fts_accpath = \ - (char *)addr + ((p)->fts_accpath - (p)->fts_path); \ +#define ADJUST2(p) { \ + if((p)->fts_accpath != (p)->fts_name){ \ + (p)->fts_accpath = \ + (char *)addr + ((p)->fts_accpath - (p)->fts_path); \ + } \ (p)->fts_path = addr; \ } /* Adjust the current set of children. */ for (p = sp->fts_child; p; p = p->fts_link) - ADJUST(p); + ADJUST2(p); /* Adjust the rest of the tree. */ for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) { - ADJUST(p); + ADJUST2(p); p = p->fts_link ? p->fts_link : p->fts_parent; } } ----------------------------- /patch ----------------------------------
Current thread:
- Windump for Windows Edward Gibbs (May 11)
- fts, du, find Stas Kisel (May 12)
- Re: fts, du, find Jordan Ritter (May 14)
- At Ease 5.0 Security Hole Tim Conrad (May 13)
- Re: At Ease 5.0 Security Hole Vincent Janelle (May 14)
- ssh-1.2.27 is out. Jonas Eriksson (May 14)
- Re: fts...(improved patch) Stas Kisel (May 14)
- Re: fts, du, find Jordan Ritter (May 14)
- Re: fts, du, find Przemyslaw Frasunek (May 14)
- fts, du, find Stas Kisel (May 12)
- Buffer overflow in WinAMP 2.x Wojtek Kaniewski (May 12)
- Re: Buffer overflow in WinAMP 2.x William Yodlowsky (May 14)
- Re: Buffer overflow in WinAMP 2.x Jello Biafra (May 16)
- Microsoft Security Bulletin (MS99-015) aleph1 () UNDERGROUND ORG (May 17)
- Re: Windump for Windows Brett Glass (May 12)
- Source code IS available (Was: Re: Windump for Windows) Ken Williams (May 14)