double-free error on FreeBSD?

[Matt Small]

Hi,

I'm getting what appears to be a double-free bug in cfagent on FreeBSD
5.2.1, when I use BindToInterface in my cfagent configuration.  This is
with the latest version (2.1.10), compiled from vanilla source, but it
also appears to affect 2.1.5.

I believe what's happening is that freeaddrinfo() free()s response2, but
doesn't set it to NULL.  So the check further down, finding that
response2!=NULL, tries to free() that memory a second time.


Backtrace:

Connect to cfm.splendous.net = 10.0.1.1 on port cfengine
cfagent in free(): error: chunk is already free

Program received signal SIGABRT, Aborted.
0x28332cbf in kill () from /lib/libc.so.5
(gdb) bt
#0  0x28332cbf in kill () from /lib/libc.so.5
#1  0x28327798 in raise () from /lib/libc.so.5
#2  0x2839fed2 in abort () from /lib/libc.so.5
#3  0x2839e64e in tcflow () from /lib/libc.so.5
#4  0x2839e67b in tcflow () from /lib/libc.so.5
#5  0x2839fb7f in realloc () from /lib/libc.so.5
#6  0x2839f1e0 in tcflow () from /lib/libc.so.5
#7  0x2839f3f0 in free () from /lib/libc.so.5
#8  0x0805a135 in RemoteConnect (host=0xbfbf4b60 "cfm.splendous.net",
    forceipv4=110 'n') at ip.c:100
#9  0x080583bf in OpenServerConnection (ip=0x8155300) at client.c:57 #10
0x08053aa8 in MakeImages () at do.c:2441
#11 0x0804d3b4 in DoTree (passes=1, info=0x809b154 "Update") at
cfagent.c:1240
#12 0x0804b24e in main (argc=2, argv=0xbfbfec84) at cfagent.c:106
#13 0x0804ae82 in _start ()


I've included two patches, both against 2.1.10.  They're both pretty
simple; I've tested dbl-free.patch.gz, and I have yet to try
dbl-free-untested.patch.gz.  But, I think the fix is cleaner in the second
case, and I can give that one a try if there's interest.

-matt

dbl-free.patch.gz
Description: GNU Zip compressed data

dbl-free-untested.patch.gz
Description: GNU Zip compressed data