[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in handle_redirect function in client.c

From: Green, Paul
Subject: Bug in handle_redirect function in client.c
Date: Thu, 29 Aug 2013 21:08:55 +0000

The cvs client-20 self-test deliberately sets up a negative test that, if it 
fails, will never terminate. There is a latent defect in the handle_redirect 
function in client.c that can, under some circumstances, lead to the client-20 
self-test getting into an infinite loop.

The problem is that the caller of handle_redirect passes in a character string 
that has been allocated in the heap, and shortly after handle_redirect returns, 
frees this storage. Sadly, handle_redirect can squirrel away a pointer to this 
storage. See "get_server_responses", also in client.c

We tripped over this on OpenVOS Release 17.2 because (AFAICT), the storage 
allocator does a better job reusing freed storage.

Extracted from client.c, version 1.12.13; the code in the "#ifdef __VOS__" 
branch eliminates the reference to soon-to-be-freed storage, and we can now run 
the self-tests again.

static void
handle_redirect (char *args, size_t len)
    static List *redirects = NULL;

    TRACE (TRACE_FUNCTION, "handle_redirect (%s)", args);

    if (redirects && findnode (redirects, args))
     error (1, 0, "`Redirect' loop detected.  Server misconfiguration?");
     if (!redirects) redirects = getlist();
#ifdef __VOS__
     push_string (redirects, xstrdup (args));
     push_string (redirects, args);

Sr. Technical Consultant, Stratus Technologies Inc.
Office: +1-978-461-7557; Mobile: +1-978-235-2451; Twitter: @stratuspaulg

reply via email to

[Prev in Thread] Current Thread [Next in Thread]