vasprintf() bug.

Rick Lake rick at anp.nl
Wed Oct 3 01:44:02 GMT 2001


=========================
SAMBA version: 2.2.1a
OS: QNX4.25
Compiler: Watcom 10.6
=========================

Hello,

The smbd daemon is crashing under certain conditions. I tracked it down to
the vasprintf() routine in $srcdir/lib/snprintf.c:

int vasprintf(char **ptr, const char *format, va_list ap)
{
    int ret;

    ret = vsnprintf(NULL, 0, format, ap);
    if (ret <= 0) return ret;

    (*ptr) = (char *)malloc(ret+1);
    if (!*ptr) return -1;
    ret = vsnprintf(*ptr, ret+1, format, ap);

    return ret;
}

The problem is that vsnprintf() is called twice with the same 'ap'
argument. The first call clobbers ap, so when the second call uses it,
problems occur. I'm not sure if this is the correct behavior in va_list
processing, but on my system it fails.

Unfortunately I haven't got a quick fix for this yet. Some solution
options might be:

1. Somehow save the state of 'ap' so that it can be reused. (This might
introduce portability problems, though...)

2. Somehow pass two instances of ap which point to the same argument list,
and then use one per call. But I don't see how this can be done without
changing the usage of vasnprintf() to differ from the standard
description, which is of course unacceptable. (I tried this with a global
instance. This worked, but then the calling routine would have to take
this global into account. :-( )

3. Calculate the 'ret' value in a different way (i.e. without calling
vsnprintf() the first time).

Sorry I couldn't come up with a real fix, but in the mean time I'm
pondering upon the problem.

regards,
rick





More information about the samba mailing list