Hi everyone (again),

An evening of debugging several errors we lately received in qmailadmin,
let me to this bug in vpopmail itself. We always got a blank screen
while adding the first forward to a domain. The forward was created,
however, also the Apache logs showed a double `free()'. Adding new
forwards after this first one went okay, without any hassles.

After some debugging, I came at vpopmail's `vpalias.c'. Inside the
function `valias_select_names' a `realloc()' is done after the
while-loop, to decrease the number of slots inside the array, to the
actually used slots. Good thing: clearing up your garbage, however, what
if `num_names' is zero -- as in our case, when there is no forward yet.

`realloc()'s behavior in this case is defined as [1]:

> In case that the size is 0, the memory previously allocated in ptr is 
> deallocated as if a call to free was made, and a NULL pointer is returned.

Since, the function was called earlier, `names' was indeed pointing to
some area of memory. So `realloc()' free()'d that, and returned NULL.

The check following after the `realloc()' checks indeed whether it is
NULL or not, if not, it resets `names' to the address returned by

This is where it goes wrong: `names' is still pointing to that freed
amount of memory.

A fix: checking whether `num_names != 0' (but that will not shrink the
array), or -- it's late so I haven't checked -- just sticking
`realloc()'s return address directly into `names'.

Hope it all clear, and somebody can do something with it :].

Kind regards,
Harm van Tilborg
Tiscom Hosting B.V.

[1] http://www.cplusplus.com/reference/clibrary/cstdlib/realloc/


Reply via email to