[tac_plus] Patch for a crash when using long commands
Marc Dequenes
mdequenes at uperto.com
Mon Jan 20 15:38:32 UTC 2014
Coin,
One of our clients had a bug wich seemed to happen only with long commands like:
path 1 e1 15 tu12-au4 1 3 framing crc4 mapping-mode bit-async
timeslots 1-9 10-18 19-27
(on CISCO routers, probably CRS)
The child process crashed with:
*** glibc detected *** /usr/bin/tac_plus: free(): invalid next size
(fast): 0x000000001eea4d60 ***
======= Backtrace: =========
/lib64/libc.so.6[0x37aaa7230f]
/lib64/libc.so.6(cfree+0x4b)[0x37aaa7276b]
/usr/bin/tac_plus[0x40a205]
/usr/bin/tac_plus[0x403af6]
/usr/bin/tac_plus[0x40f2ea]
/usr/bin/tac_plus[0x40fc24]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x37aaa1d994]
/usr/bin/tac_plus[0x402939]
I found an off-by-one mistake in the command buffer allocation (room
for \0 was forgotten) and made a small patch to fix it. We are unable
to reproduce since then.
Regards.
--
Marc Dequènes
Consultant Devoteam Uperto/IdeOS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tacacs+_buffer_alloc_offbyone.patch
Type: text/x-patch
Size: 408 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140120/4f2a1871/attachment.bin>
More information about the tac_plus
mailing list