Tahoe UUCP mlogent() can cause null FILE pointer dereference

Bruce Jerrick bruce at ogicse.ogc.edu
Sat Feb 10 16:51:09 AEST 1990 

Index:	usr.bin/uucp/logent.c 4.3BSD TAHOE FIX

Description:
	mlogent() (in logent.c) can pass a null FILE pointer to fprintf(),
	resulting in null pointer dereferencing.

	In each of logent(), log_xferstats(), and syslog(), look at the calls
	to mlogent() and the few lines preceding them.  get_logfd() can return
	a null FILE pointer if its fopen() fails (and it has code to handle
	that case), but it gets passed into mlogent(), which passes it into
	fprintf(), which dereferences it.

Repeat-By:
	Only happens under duress (for us it was when the kernel's file
	table temporarily overflowed).  May result in core dumps in
	/usr/spool/uucp.
	Examine code discussed above, in logent.c .

Fix:
	In mlogent() in logent.c, surround the use of FILE pointer fp with
	the conditional "if (fp != NULL) { ... }" .  The rest of the code
	in mlogent() is still useful even if fp is null.

	(The diff below isn't as bad as it looks; all the ! lines are
	just re-indented.)


*** /tmp/,RCSt1019411	Fri Feb  9 21:38:51 1990
--- logent.c	Fri Feb  9 18:38:54 1990
***************
*** 86,105 ****
  	ftime(&Now);
  #endif !USG
  	tp = localtime(&Now.time);
  #ifdef USG
! 	fprintf(fp, "%s %s (%d/%d-%2.2d:%2.2d-%d) ",
  #else !USG
! 	fprintf(fp, "%s %s (%d/%d-%02d:%02d-%d) ",
  #endif !USG
! 		User, Rmtname, tp->tm_mon + 1, tp->tm_mday,
! 		tp->tm_hour, tp->tm_min, pid);
! 	fprintf(fp, "%s %s\n", status, text);
  
! 	/* Since it's buffered */
  #ifndef F_SETFL
! 	lseek (fileno(fp), (long)0, 2);
  #endif !F_SETFL
! 	fflush (fp);
  	if (Debug) {
  		fprintf(stderr, "%s %s ", User, Rmtname);
  #ifdef USG
--- 86,109 ----
  	ftime(&Now);
  #endif !USG
  	tp = localtime(&Now.time);
+ 
+ 	if (fp != NULL) {
  #ifdef USG
! 		fprintf(fp, "%s %s (%d/%d-%2.2d:%2.2d-%d) ",
  #else !USG
! 		fprintf(fp, "%s %s (%d/%d-%02d:%02d-%d) ",
  #endif !USG
! 			User, Rmtname, tp->tm_mon + 1, tp->tm_mday,
! 			tp->tm_hour, tp->tm_min, pid);
! 		fprintf(fp, "%s %s\n", status, text);
  
! 		/* Since it's buffered */
  #ifndef F_SETFL
! 		lseek (fileno(fp), (long)0, 2);
  #endif !F_SETFL
! 		fflush (fp);
+ 	}
+ 
  	if (Debug) {
  		fprintf(stderr, "%s %s ", User, Rmtname);
  #ifdef USG


========================================================================

        Bruce Jerrick
        Oregon Graduate Center, er, uh, Institute
        InterNet:  bruce at cse.ogi.edu
        UUCP:      ogicse!bruce
        Voice:     (503) 690-1157

More information about the Comp.bugs.4bsd.ucb-fixes mailing list