36175 – Vsnprintf causes memeory leak

Bug 36175 - Vsnprintf causes memeory leak

Summary: Vsnprintf causes memeory leak

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Maxim Konovalov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-03-21 20:50 UTC by Jiu Zheng
Modified:	2002-09-23 08:05 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiu Zheng 2002-03-21 20:50:02 UTC

*Each time* vsnprintf is called with str == NULL, 1K of memory is 
allocted and never get freed. This can cause memory leak for certain 
applications.

For example, in the recent Samba 3.0 alpha release, there is such a
line

len = vsnprintf(NULL, 0, fmt, ap);

used to calculate the length of the string. Then a serious memery leak
is caused in winbindd (a deamon as a part of samba package). 

I noticed in revision 1.15 of vsnprintf (CVS) the author said

"revert freeing of memory that gets allocated when str == NULL
(this will be fixed in a better way)"

I am not sure the author really means to allocate 1M of memory
if the function is called in such a way 1000 times in a program.
I think this should get fix ASAP.

Thank you.

Fix: 

The author, assar, must know
How-To-Repeat: Just compile and run the following; and see the prog size grows

#include <stdio.h>
#include <stdarg.h>

void do_print(char const *fmt, ...) {
   	int len;
    	va_list ap;
      	va_start(ap, fmt);
      	len = vsnprintf(NULL, 0, fmt, ap);
      	va_end(ap);

}

int main() {
	while(1) do_print("bad\n");
}

Comment 1 Jiu Zheng 2002-03-21 20:58:52 UTC

Dear FreeBSD,

I think accidentally made this to "bin" category.
This is really a problem of a function in libc.
May be it should be send to "misc"?

I wish you will be able to foward this to a more proper
place and get the libc maintainers to read it.

Thank you.

Jiu

On Thu, 21 Mar 2002 FreeBSD-gnats-submit@FreeBSD.org wrote:

> Thank you very much for your problem report.
> It has the internal identification `bin/36175'.
> The individual assigned to look at your
> report is: freebsd-bugs.
>
> You can access the state of your problem report at any time
> via this link:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=36175
>
> >Category:       bin
> >Responsible:    freebsd-bugs
> >Synopsis:       Vsnprintf causes memeory leak
> >Arrival-Date:   Thu Mar 21 12:50:02 PST 2002
>

Comment 2 Maxim Konovalov 2002-03-22 08:42:55 UTC

Could you please try a patch below (from OpenBSD):

Index: vsnprintf.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdio/vsnprintf.c,v
retrieving revision 1.15
diff -u -r1.15 vsnprintf.c
--- vsnprintf.c	18 Jun 2001 04:40:52 -0000	1.15
+++ vsnprintf.c	22 Mar 2002 08:32:29 -0000
@@ -55,6 +55,7 @@
 {
 	size_t on;
 	int ret;
+	char dummy;
 	FILE f;

 	on = n;
@@ -62,6 +63,11 @@
 		n--;
 	if (n > INT_MAX)
 		n = INT_MAX;
+	/* Stdio internals do not deal correctly with zero length buffer */
+	if (n == 0) {
+                str = &dummy;
+                n = 1;
+	}
 	f._file = -1;
 	f._flags = __SWR | __SSTR;
 	f._bf._base = f._p = (unsigned char *)str;

%%%

-- 
Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru

Comment 3 Jiu Zheng 2002-03-22 19:59:16 UTC

Thank you, Maxim,

The way your patch works is exactly how I fixed problems in my
applications' source codes - call vsnprintf(&dummy, 1, fmt, ap).

The things is that it is impractical to patch and recompile libc for all
our development workstations. I just wish this will get fixed soon with
freebsd release.

Jiu


On Fri, 22 Mar 2002, Maxim Konovalov wrote:

>
> Could you please try a patch below (from OpenBSD):
>
> Index: vsnprintf.c
> ===================================================================
> RCS file: /home/ncvs/src/lib/libc/stdio/vsnprintf.c,v
> retrieving revision 1.15
> diff -u -r1.15 vsnprintf.c
> --- vsnprintf.c	18 Jun 2001 04:40:52 -0000	1.15
> +++ vsnprintf.c	22 Mar 2002 08:32:29 -0000
> @@ -55,6 +55,7 @@
>  {
>  	size_t on;
>  	int ret;
> +	char dummy;
>  	FILE f;
>
>  	on = n;
> @@ -62,6 +63,11 @@
>  		n--;
>  	if (n > INT_MAX)
>  		n = INT_MAX;
> +	/* Stdio internals do not deal correctly with zero length buffer */
> +	if (n == 0) {
> +                str = &dummy;
> +                n = 1;
> +	}
>  	f._file = -1;
>  	f._flags = __SWR | __SSTR;
>  	f._bf._base = f._p = (unsigned char *)str;
>
> %%%
>
> --
> Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
> phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru
>

Comment 4 bill fumerola freebsd_committer

2002-05-31 10:16:34 UTC

Responsible Changed
From-To: freebsd-bugs->billf

i'll look into merging openbsd's solution to freebsd pr #26044 contained 
in this PR.

Comment 5 Maxim Konovalov freebsd_committer

2002-09-17 12:54:13 UTC

State Changed
From-To: open->patched

Fixed in rev. 1.21 src/lib/libc/stdio/vsnprintf.c in -current.

Comment 6 Maxim Konovalov freebsd_committer

2002-09-17 12:54:13 UTC

Responsible Changed
From-To: billf->maxim

MFC reminder.

Comment 7 Maxim Konovalov freebsd_committer

2002-09-23 08:02:40 UTC

State Changed
From-To: patched->closed

Fixed in rev. 1.21 and rev. 1.12.2.1 src/lib/libc/stdio/vsnprintf.c 
in -current and -stable.