[9fans] 9vx frogs

[9fans] 9vx frogs

[Anthony Martin]

Trying to exec a filename with frogs in it causes the first
validnamedup() in sysexec to throw an error. The waserror
branch then tries to free(file) causing an invalid pointer
in munmap_chunk.

I can provide a trace if necessary but I think it's just
a matter of not trying to free "file" before it becomes
a heap address from the dup.

     Anthony

Re: [9fans] 9vx frogs

[Russ Cox]

> Trying to exec a filename with frogs in it causes the first
> validnamedup() in sysexec to throw an error. The waserror
> branch then tries to free(file) causing an invalid pointer
> in munmap_chunk.
>
> I can provide a trace if necessary but I think it's just
> a matter of not trying to free "file" before it becomes
> a heap address from the dup.

Thanks, perfect summary.
The fix is below.  I'm not going to bother packing up
a new version yet, and I don't have a public repository
yet either.

Russ

--- a/src/9vx/a/sysproc.c
+++ b/src/9vx/a/sysproc.c
@@ -219,7 +219,7 @@ long
 long
 sysexec(ulong *arg)
 {
-	char *volatile elem, *volatile file;
+	char *volatile elem, *volatile file, *ufile;
 	Chan *volatile tc;

 	/*
@@ -238,8 +238,8 @@ sysexec(ulong *arg)
 		nexterror();
 	}

-	file = uvalidaddr(arg[0], 1, 0);
-	file = validnamedup(file, 1);
+	ufile = uvalidaddr(arg[0], 1, 0);
+	file = validnamedup(ufile, 1);
 	tc = namec(file, Aopen, OEXEC, 0);
 	kstrdup((char**)&elem, up->genbuf);