Project

General

Profile

Bug #9645

Updated by Andrew Stormont about 3 years ago

scf_read_propvec walks the prop vector setting the addresses for certain property types (such as opaque and astring, since they are dynamically sized) and sets them to NULL. On error it calls scf_clean_propvec which checks the addresses before freeing them and skips over any set to NULL. The problem is that in some failure scenarios this is called before the addresses have been initialized, causing a segfault. 

 <pre> 
 # pstack /var/cores/core.svc-auditset.6995 
 core '/var/cores/core.svc-auditset.6995' of 6995:         /lib/svc/method/svc-auditset 
  fee59f9c _free_unlocked (8062000, 8047c4c, 73, 8062000, fe9fd000, fe93d900) + 24 
  fee5a3df free       (8062000, fe9fd000, 3eb, 80632a0, 8047ca0, fefbe010) + 45 
  fe9da6a7 scf_clean_propvec (fe93d900, fe9247f2, 0, 80623a8, 80623c8, 8062368) + 8c 
  fe9daada scf_read_propvec (fe9247f2, fe9248b0, 0, fe93d900, 8047d5c, 0) + 418 
  fe9199a0 get_val_scf (fe93d900, fe9248b0, 5, 8047dbc, 0, 8047e20) + 47 
  fe91a97c do_getflags_scf (8047dbc, 8047db8, 0, 8051820, 8062000, 805126e) + 5d 
  080516f9 main       (1, 8047e20, 8047e28, 8051363, 0, 0) + 128 
  08051388 _start_crt (1, 8047e20, fefcf363, 0, 0, 0) + 97 
  0805125a _start     (1, 8047ed0, 0, 8047eed, 8047f0f, 8047f20) + 1a 
 </pre>

Back