Bug 5845 - ypserv crashes in mangle_password
ypserv crashes in mangle_password
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: ypserv (Show other bugs)
6.1
All Linux
medium Severity high
: ---
: ---
Assigned To: Cristian Gafton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-10-11 16:02 EDT by Gordon Messmer
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-10-29 14:05:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Messmer 1999-10-11 16:02:49 EDT
There are several calls to free() in ypserv that should be
ypdb_free.  Attempts to free pointers in NDMB datum
structures cause cores when yp clients attempt to
authenticate against a yp server.  The following patch fixed
the problem here.

--- ypserv-1.3.7/makedbm.c.orig Sun Oct 10 19:10:48 1999
+++ ypserv-1.3.7/makedbm.c      Sun Oct 10 19:18:27 1999
@@ -475,7 +475,7 @@
       printf ("%.*s %.*s\n",
              key.dsize, key.dptr,
              data.dsize, data.dptr);
-      free (data.dptr);
+      ypdb_free (data.dptr);
     }
 #elif defined(HAVE_NDBM)
   key = dbm_firstkey (dbm);
--- ypserv-1.3.7/server.c.orig  Sun Oct 10 19:10:54 1999
+++ ypserv-1.3.7/server.c       Sun Oct 10 19:24:06 1999
@@ -136,7 +136,7 @@
               p[anz] = val->dptr[k];
               ++anz;
             }
-          free (val->dptr);
+          ypdb_free (val->dptr);
           val->dptr = strdup (p);
           val->dsize = anz;
           return 0;
@@ -673,7 +673,7 @@
           dkey = ypdb_nextkey (dbp, oldkey);
          while (dkey.dptr != NULL && strncmp (dkey.dptr,
"YP_", 3) == 0)
            {
-             free (oldkey.dptr);
+             ypdb_free (oldkey.dptr);
              oldkey.dsize = dkey.dsize;
              oldkey.dptr = strndup (dkey.dptr, dkey.dsize);
              ypdb_free (dkey.dptr);
@@ -952,7 +952,7 @@
   /* XXX Replace strncmp */
   while (dkey.dptr != NULL && strncmp (dkey.dptr, "YP_", 3)
== 0)
     {
-      free (oldkey.dptr);
+      ypdb_free (oldkey.dptr);
       oldkey.dsize = dkey.dsize;
       oldkey.dptr = strndup (dkey.dptr, dkey.dsize);
       ypdb_free (dkey.dptr);
@@ -960,7 +960,7 @@
       dkey = ypdb_nextkey (((ypall_data_t) data)->dbm,
oldkey);
     }

-  free (oldkey.dptr);
+  ypdb_free (oldkey.dptr);
 #endif

   if (dkey.dptr == NULL)
@@ -1120,7 +1120,7 @@

          ypdb_close (data->dbm);
        }
-      free (data);
+      ypdb_free (data);
     }

   if (debug_flag)
Comment 1 Bill Nottingham 1999-10-29 14:05:59 EDT
I believe this is fixed in the errata release.

Note You need to log in before you can comment on or make changes to this bug.