[ Bill Fenner added as "maintainer" of libpcap/tcpdump ]
According to Kris Kennaway:
> Fallout from the malloc.conf changes. tcpdump has the same bug.
I think^W'm sure the bug is in libpcap though as several libpcap applications
fail with the same error (tcpdump, ntop, trafshow).
The problem is inside pcap_lookupdev(), "buf" is used to store interface data,
then freed then the buffer is used again :
-=-=-
for (;;) {
buf = malloc (buf_size);
if (buf == NULL) {
close (fd);
(void)sprintf(errbuf, "out of memory");
return (NULL);
}
ifc.ifc_len = buf_size;
ifc.ifc_buf = buf;
memset (buf, 0, buf_size);
...
for (cp = ifrp->ifr_name; !isdigit(*cp); ++cp)
continue;
n = atoi(cp);
if (n < minunit) {
minunit = n;
mp = ifrp;
}
}
free(buf); <<<<<<<
(void)close(fd);
if (mp == NULL) {
(void)strcpy(errbuf, "no suitable device found");
return (NULL);
}
(void)strncpy(device, mp->ifr_name, sizeof(device) - 1); <<<<<<<
device[sizeof(device) - 1] = '\0';
return (device);
-=-=-
The last free(buf) has filled "buf" with 0xd0 so "mp" points to the same
area. If anyone has the address of the mailing list for libpcap, please send
this patch. I won't commit it as it would get the file out of the vendor
branch.
Index: inet.c
===================================================================
RCS file: /spare/FreeBSD-current/src/contrib/libpcap/inet.c,v
retrieving revision 1.1.1.4
diff -u -2 -I.*$Id:.* -r1.1.1.4 inet.c
--- inet.c 2000/01/30 00:32:41 1.1.1.4
+++ inet.c 2000/07/20 20:41:36
@@ -174,7 +174,7 @@
}
}
- free(buf);
(void)close(fd);
if (mp == NULL) {
+ free(buf);
(void)strcpy(errbuf, "no suitable device found");
return (NULL);
@@ -183,4 +183,5 @@
(void)strncpy(device, mp->ifr_name, sizeof(device) - 1);
device[sizeof(device) - 1] = '\0';
+ free(buf);
return (device);
}
--
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- [EMAIL PROTECTED]
FreeBSD keltia.freenix.fr 5.0-CURRENT #80: Sun Jun 4 22:44:19 CEST 2000
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
