Xref: utzoo comp.protocols.tcp-ip:5629 comp.bugs.4bsd:1123
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!nrl-cmf!cmcl2!polyof!john
From: john@polyof.UUCP ( John Buck )
Newsgroups: comp.protocols.tcp-ip,comp.bugs.4bsd
Subject: recent posting ftpd (and older version) have a bug
Keywords: blkfree is too ambitious
Message-ID: <405@polyof.UUCP>
Date: 1 Dec 88 21:23:45 GMT
Organization: Polytechnic University, Farmingdale NY
Lines: 24


Program: ftpd
Sources: etc/ftpd/{glob.c,popen.c}
Symptom: ftpd core dumps (essentially) sometimes, causing a remote error
	 of "Service unavailable; server has closed connection"
Problem: If glob() fails (no matches), it winds up freeing (via free()),
	 an automatic stack array (gargv)
Fix:	 Remove last free() call in blkfree() (IE the one that frees the
	 pointer to the list)
	 Then, you have to fix the call to blkfree() in popen.c to do an
	 extra free(argv[argc]) after the blkfree(argv[argc])

History: The comment in glob.c says it all... The code for glob was lifted
	 from csh, and seeming appropriate changes were made.  Problem
	 was a call to xfree() was changed to plain old free().  xfree() in
	 csh checked to see if the address that was being freed was
	 past the end of the data area.  If it was, the call was ignored.
	 free() does not do this extra, kludgy, checking.
Alternative fix: lift the code for xfree() from csh, and make necessary,
	kludgy, changes.

John Buck
john@polyof.poly.edu
john@polygraf.bitnet