Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 6/7/83; site hao.UUCP
Path: utzoo!linus!decvax!harpo!seismo!hao!pag
From: pag@hao.UUCP (Peter Gross)
Newsgroups: net.news.b
Subject: Bug fixes for expire infinite loop
Message-ID: <858@hao.UUCP>
Date: Wed, 15-Feb-84 14:05:54 EST
Article-I.D.: hao.858
Posted: Wed Feb 15 14:05:54 1984
Date-Received: Thu, 16-Feb-84 05:59:42 EST
Organization: High Altitude Obs./NCAR, Boulder CO
Lines: 106

The expire infinite loop bug was caused by two separate problems.
The problem likely only shows up on PDP-11/70's, but could eventually
occur on any non-virtual memory UNIX, as a segmentation violation.
1.  In header.c, hread() didn't check the return value of malloc()
    when it dynamically allocated memory for "unrecognized" header
    fields.  Normally this would cause a segmentation violation when
    the NULL pointer was used as a store address.  But because it was
    used as an argument to strcpy(), nothing (noticeable) happened.
    Try it, campers: strcpy(NULL, "any old string") does not cause
    a SIGSEGV (at least on PDP-11/70's when compiled sep i/d)!
2.  In expire the code reads through the existing history file,
    processing lines one at a time, checking for expiration, removing
    expired articles, remaking a new history file and associated dbm
    files.  Well as times goes on, the cumulative effect of doing
    hread()'s on articles with unrecognized header lines eventually
    uses up all the free memory.  But hread() keeps on doing its
    strcpy(h.unrec[blotto], ).  This drives every-
    thing bonzo .... expire blows its cookies, store() stops working,
    and somehow the article which couldn't malloc() any more memory
    starts looping in the nhistory file.  Ouch!

Here are the fixes, first to header.c and second to expire.c:
*** header.orig.c	Wed Feb 15 11:48:56 1984
--- header.c	Wed Feb 15 11:47:48 1984
***************
*** 213,218
  		case OTHER:
  			if (unreccnt < NUNREC) {
  				hp->unrec[unreccnt] = malloc(strlen(bfr) + 1);
  				strcpy(hp->unrec[unreccnt], bfr);
  				unreccnt++;
  			}

--- 215,222 -----
  		case OTHER:
  			if (unreccnt < NUNREC) {
  				hp->unrec[unreccnt] = malloc(strlen(bfr) + 1);
+ 				if(hp->unrec[unreccnt] == (char *) NULL)
+ 				    xerror("frmread out of memory\n");
  				strcpy(hp->unrec[unreccnt], bfr);
  				unreccnt++;
  			}

*** expire.orig.c	Wed Feb 15 11:49:29 1984
--- expire.c	Wed Feb 15 11:47:46 1984
***************
*** 211,216
  		ohfd = xfopen(ARTFILE, "r");
  		nhfd = xfopen(NARTFILE, "w");
  	}
  
  	while (TRUE) {
  		if (nohistory) {

--- 214,221 -----
  		ohfd = xfopen(ARTFILE, "r");
  		nhfd = xfopen(NARTFILE, "w");
  	}
+ 	for(i=0;i