bruce@ogicse.ogc.edu (Bruce Jerrick) (02/10/90)
Index: usr.bin/uucp/logent.c 4.3BSD TAHOE FIX
Description:
mlogent() (in logent.c) can pass a null FILE pointer to fprintf(),
resulting in null pointer dereferencing.
In each of logent(), log_xferstats(), and syslog(), look at the calls
to mlogent() and the few lines preceding them. get_logfd() can return
a null FILE pointer if its fopen() fails (and it has code to handle
that case), but it gets passed into mlogent(), which passes it into
fprintf(), which dereferences it.
Repeat-By:
Only happens under duress (for us it was when the kernel's file
table temporarily overflowed). May result in core dumps in
/usr/spool/uucp.
Examine code discussed above, in logent.c .
Fix:
In mlogent() in logent.c, surround the use of FILE pointer fp with
the conditional "if (fp != NULL) { ... }" . The rest of the code
in mlogent() is still useful even if fp is null.
(The diff below isn't as bad as it looks; all the ! lines are
just re-indented.)
*** /tmp/,RCSt1019411 Fri Feb 9 21:38:51 1990
--- logent.c Fri Feb 9 18:38:54 1990
***************
*** 86,105 ****
ftime(&Now);
#endif !USG
tp = localtime(&Now.time);
#ifdef USG
! fprintf(fp, "%s %s (%d/%d-%2.2d:%2.2d-%d) ",
#else !USG
! fprintf(fp, "%s %s (%d/%d-%02d:%02d-%d) ",
#endif !USG
! User, Rmtname, tp->tm_mon + 1, tp->tm_mday,
! tp->tm_hour, tp->tm_min, pid);
! fprintf(fp, "%s %s\n", status, text);
! /* Since it's buffered */
#ifndef F_SETFL
! lseek (fileno(fp), (long)0, 2);
#endif !F_SETFL
! fflush (fp);
if (Debug) {
fprintf(stderr, "%s %s ", User, Rmtname);
#ifdef USG
--- 86,109 ----
ftime(&Now);
#endif !USG
tp = localtime(&Now.time);
+
+ if (fp != NULL) {
#ifdef USG
! fprintf(fp, "%s %s (%d/%d-%2.2d:%2.2d-%d) ",
#else !USG
! fprintf(fp, "%s %s (%d/%d-%02d:%02d-%d) ",
#endif !USG
! User, Rmtname, tp->tm_mon + 1, tp->tm_mday,
! tp->tm_hour, tp->tm_min, pid);
! fprintf(fp, "%s %s\n", status, text);
! /* Since it's buffered */
#ifndef F_SETFL
! lseek (fileno(fp), (long)0, 2);
#endif !F_SETFL
! fflush (fp);
+ }
+
if (Debug) {
fprintf(stderr, "%s %s ", User, Rmtname);
#ifdef USG
========================================================================
Bruce Jerrick
Oregon Graduate Center, er, uh, Institute
InterNet: bruce@cse.ogi.edu
UUCP: ogicse!bruce
Voice: (503) 690-1157