BUG in art.c:2284 ARTpost() causes core
Kai 'wusel' Siering
wusel at uu.org
Fri Nov 19 13:49:36 UTC 1999
Moin,
N wrote:
% Miquel van Smoorenburg wrote:
%
% > Yes the code looks that way, but there's a bit more to it. Look at
% > a gdb strace of a crashed innd:
% >
% > #0 0x8067362 in MaxLength (p=0x0, q=0x0) at innd.c:134
% > 134 i = strlen(p);
% > (gdb) up
[...]
% > (gdb) print distributions[0]
% > $1 = 0x0
% >
% > As you can see distributions[0] is most certainly NULL, and dereferencing
% > it as *distributions[0] will cause a coredump.
% >
% > In fact that is WHY innd crashed in the first place; the dereference
% > of distributions[0] in the sprintf() ...
%
% In fact it was calling strlen() on it.
Yepp.
% Libc's printf of most platforms
% just outputs (null) instead of coring. FreeBSD, Linux and IRIX live,
% SunOS 5.x dies.
Kind of a philosophical discussion, whether or not libc has to
function as a safety belt for buggy software, isn't it? A bug is
a bug, even under FreeBSD, Linux and IRIX ;)
I added something along
if(!p || !q) {syslog(); buf[0]='\0'; return(buf);}
in MaxLength() to make sure that beast won't bite my servers
again.
As to the published patch: my understanding is that neither
if (distribution[0] == '\0')
nor
if (*distribution[0] == '\0')
addresses the problem in question. Only
if (distribution[0] == NULL)
does, since distribution[0] is a pointer to char, not a char, and
the issue is not whether any string is empty but whether a pointer
(to char) points to NULL.
% The article that caught me was <942925094.1792snx at wang.pc.my>, apparently
% containing Distribution: \r\n as `print Data' in gdb shows.
It was "Distribution: ,". Regards,
kai
--
Kai 'wusel' Siering eMail @ home: wusel at uu.org
Traveller on the Information Highway doing full-time administration.
The views expressed here are not neccessarily those of any employer.
More information about the inn-workers
mailing list