bug-tar
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] 1.23: use after free()

From: Christian Weisgerber
Subject: [Bug-tar] 1.23: use after free()
Date: Thu, 25 Mar 2010 17:18:06 +0100
User-agent: Mutt/1.4.2.3i 
The junk-fill malloc() debugging function on BSD reveals that there is
some sort of use-after-free() bug in 1.23.

Specifically, if you run the test suite with MALLOC_OPTIONS=J set,
test 44 (incr06) fails because tar dumps core.

(gdb) bt
#0  strcmp (
    s1=0x20392a0c0 
"/usr/obj/gtar-1.23/tar-1.23/tests/testsuite.dir/44/gnu/dir/sub", 
s2=0xdfdfdfdfdfdfdfdf <Address 0xdfdfdfdfdfdfdfdf out of bounds>)
    at /usr/src/lib/libc/string/strcmp.c:47
#1  0x000000000041c236 in name_compare (entry1=0x20af9a780, entry2=0x20af9ad00)
    at names.c:837
#2  0x000000000043a9be in hash_find_entry (table=0x20af9ac80, 
    entry=0x20af9a780, bucket_head=0x7f7ffffef8d0, delete=false) at hash.c:828
#3  0x000000000043ae4f in hash_insert (table=0x20af9ac80, entry=0x20af9a780)
    at hash.c:1042
#4  0x000000000041c62f in collect_and_sort_names () at names.c:970
#5  0x000000000040bb73 in create_archive () at create.c:1283
#6  0x0000000000424ccf in main (argc=12, argv=0x7f7ffffefa80) at tar.c:2605

This is on OpenBSD where 0xdf is the pattern used to fill free()ed
areas.  The problem is equally reproducible on FreeBSD.

Maybe a missing strdup() somewhere?

-- 
Christian "naddy" Weisgerber                          address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]