Xref: utzoo comp.protocols.tcp-ip:5629 comp.bugs.4bsd:1123 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!nrl-cmf!cmcl2!polyof!john From: john@polyof.UUCP ( John Buck ) Newsgroups: comp.protocols.tcp-ip,comp.bugs.4bsd Subject: recent posting ftpd (and older version) have a bug Keywords: blkfree is too ambitious Message-ID: <405@polyof.UUCP> Date: 1 Dec 88 21:23:45 GMT Organization: Polytechnic University, Farmingdale NY Lines: 24 Program: ftpd Sources: etc/ftpd/{glob.c,popen.c} Symptom: ftpd core dumps (essentially) sometimes, causing a remote error of "Service unavailable; server has closed connection" Problem: If glob() fails (no matches), it winds up freeing (via free()), an automatic stack array (gargv) Fix: Remove last free() call in blkfree() (IE the one that frees the pointer to the list) Then, you have to fix the call to blkfree() in popen.c to do an extra free(argv[argc]) after the blkfree(argv[argc]) History: The comment in glob.c says it all... The code for glob was lifted from csh, and seeming appropriate changes were made. Problem was a call to xfree() was changed to plain old free(). xfree() in csh checked to see if the address that was being freed was past the end of the data area. If it was, the call was ignored. free() does not do this extra, kludgy, checking. Alternative fix: lift the code for xfree() from csh, and make necessary, kludgy, changes. John Buck john@polyof.poly.edu john@polygraf.bitnet