On Thu, Jun 22, 2023 at 05:46:09PM +0100, Frank Busse wrote: > Hi, > > > I ran KLEE on revision #530407 and it found a segfault in cron. It can > be reproduced via: > > $ printf '1*' > A > $ sbase-530407/bin/cron "-nfA" > > Seems free() points into rubbish: > > AddressSanitizer:DEADLYSIGNAL > ================================================================= > ==2103==ERROR: AddressSanitizer: SEGV on unknown address > > #4 in __interceptor_free (ptr=0xbebebebebebebebe) > #5 in parsefield (field=0x60c000000040 "1*", low=0, high=59, > f=0x60d000000040) at cron.c:335 > #6 in loadentries () at cron.c:419 > #7 in main (argc=0, argv=0x7fffffffe3d8) at cron.c:528 > > > Best, > > Frank >
Hi, I can reproduce it also with clang and -fsanitize=address. I think this is because it is one case where f->val is uninitialized. The below patch initializes f->val and f->len before doing anything. Lightly tested patch below: diff --git a/cron.c b/cron.c index 77304cc..c4d9af8 100644 --- a/cron.c +++ b/cron.c @@ -254,6 +254,8 @@ parsefield(const char *field, long low, long high, struct field *f) while (isdigit(*p)) p++; + f->val = NULL; + f->len = 0; f->type = ERROR; switch (*p) { -- Kind regards, Hiltjo