Bug 5845 - ypserv crashes in mangle_password
Summary: ypserv crashes in mangle_password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ypserv
Version: 6.1
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-10-11 20:02 UTC by Gordon Messmer
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-10-29 18:05:22 UTC


Attachments (Terms of Use)

Description Gordon Messmer 1999-10-11 20:02:49 UTC
There are several calls to free() in ypserv that should be
ypdb_free.  Attempts to free pointers in NDMB datum
structures cause cores when yp clients attempt to
authenticate against a yp server.  The following patch fixed
the problem here.

--- ypserv-1.3.7/makedbm.c.orig Sun Oct 10 19:10:48 1999
+++ ypserv-1.3.7/makedbm.c      Sun Oct 10 19:18:27 1999
@@ -475,7 +475,7 @@
       printf ("%.*s %.*s\n",
              key.dsize, key.dptr,
              data.dsize, data.dptr);
-      free (data.dptr);
+      ypdb_free (data.dptr);
     }
 #elif defined(HAVE_NDBM)
   key = dbm_firstkey (dbm);
--- ypserv-1.3.7/server.c.orig  Sun Oct 10 19:10:54 1999
+++ ypserv-1.3.7/server.c       Sun Oct 10 19:24:06 1999
@@ -136,7 +136,7 @@
               p[anz] = val->dptr[k];
               ++anz;
             }
-          free (val->dptr);
+          ypdb_free (val->dptr);
           val->dptr = strdup (p);
           val->dsize = anz;
           return 0;
@@ -673,7 +673,7 @@
           dkey = ypdb_nextkey (dbp, oldkey);
          while (dkey.dptr != NULL && strncmp (dkey.dptr,
"YP_", 3) == 0)
            {
-             free (oldkey.dptr);
+             ypdb_free (oldkey.dptr);
              oldkey.dsize = dkey.dsize;
              oldkey.dptr = strndup (dkey.dptr, dkey.dsize);
              ypdb_free (dkey.dptr);
@@ -952,7 +952,7 @@
   /* XXX Replace strncmp */
   while (dkey.dptr != NULL && strncmp (dkey.dptr, "YP_", 3)
== 0)
     {
-      free (oldkey.dptr);
+      ypdb_free (oldkey.dptr);
       oldkey.dsize = dkey.dsize;
       oldkey.dptr = strndup (dkey.dptr, dkey.dsize);
       ypdb_free (dkey.dptr);
@@ -960,7 +960,7 @@
       dkey = ypdb_nextkey (((ypall_data_t) data)->dbm,
oldkey);
     }

-  free (oldkey.dptr);
+  ypdb_free (oldkey.dptr);
 #endif

   if (dkey.dptr == NULL)
@@ -1120,7 +1120,7 @@

          ypdb_close (data->dbm);
        }
-      free (data);
+      ypdb_free (data);
     }

   if (debug_flag)

Comment 1 Bill Nottingham 1999-10-29 18:05:59 UTC
I believe this is fixed in the errata release.


Note You need to log in before you can comment on or make changes to this bug.