The availability of socketbits.h?
Xu Qiang
Qiang.Xu at fujixerox.com
Tue May 17 20:07:43 PDT 2005
Giorgos Keramidas wrote:
> A bug in the program. The relevant code seems to be this part of
> nngs-1.1.14/nrat/command.c:
>
> 1131 void commands_init()
> 1132 {
> 1133 FILE *fp, *afp;
> 1134 int i = 0;
> 1135
> 1136 fp = xyfopen(FILENAME_CMDS, "w");
> 1137 if (!fp) {
> 1138 return;
> 1139 }
> 1140 afp = xyfopen(FILENAME_ACMDS, "w");
> 1141 if (!afp) {
> 1142 fclose(fp);
> 1143 return;
> 1144 }
> 1145 for (i = 0; command_list[i].comm_name; i++) {
> 1146 if (command_list[i].adminLevel >= ADMIN_ADMIN) {
> 1147 fprintf(afp, "%s\n", command_list[i].comm_name);
> 1148 } else {
> 1149 fprintf(fp, "%s\n", command_list[i].comm_name);
> 1150 }
> 1151 }
> 1152 fclose(fp);
> 1153 fclose(afp);
> 1154 }
>
> If we put for a while the horrible style aside, the bug seems to be
> that the for loop doesn't properly check the bounds of the
> command_list[] array. This would probably be ok if the command_list
> array was declared to have a trailing element set to an "all zeroes"
> value:
>
> struct command_type command_list[] = {
> {"accept", "n", com_accept, ADMIN_USER },
> {"actitle", "dS", com_actitle, ADMIN_ADMIN },
> {0, 0, 0, 0 },
> };
>
> but it's not (look in nngs-1.1.14/nrat/command_list.h):
>
> /* Name Options Functions Security */
> struct command_type command_list[] = {
> {"accept", "n", com_accept, ADMIN_USER },
> {"actitle", "dS", com_actitle, ADMIN_ADMIN },
> [...]
> /* by Syncanph */
> {"shownote", "", com_shownote, ADMIN_USER },
> };
>
> and this is *EXACTLY* where this particular bug lies.
Thank you, Giorgos. You hit the cause I didn't see.
But after compile, there is a new segmentation fault, here is the GDB trace:
gso_dev_2# gdb nngssrv nngssrv.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `nngssrv'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libcrypt.so.2...done.
Loaded symbols for /lib/libcrypt.so.2
Reading symbols from /lib/libm.so.3...done.
Loaded symbols for /lib/libm.so.3
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x281803d2 in strcmp () from /lib/libc.so.5
(gdb) bt
#0 0x281803d2 in strcmp () from /lib/libc.so.5
#1 0x2817f125 in qsort () from /lib/libc.so.5
#2 0x0805d740 in command_init () at command.c:212
#3 0x0805ae95 in main (argc=1116386171, argv=0xbfbfe958) at nngsmain.c:158
It seems still related to the array of command_list.
Any further suggestions?
thanks,
Regards,
Xu Qiang
More information about the freebsd-questions
mailing list