Thanks a lot for the very fast response in tagging 2.7.7 and hence fixing the
problem
for unstable.
However, I am not sure if this bug should be closed yet as 'stable'
(debian 11 / bullseye) also must be fixed. As bullseye cannot update
the upstream package version, a patch must be introduced to the Debian
package.
Or Should there be a separate Debian bug filed for bullseye?
Regards,
Harald
On Wed, Dec 08, 2021 at 10:51:07PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the libulfius2.7 package:
>
> #1001328: ulfius_url_{encode,decode} call malloc instad of o_malloc
>
> It has been closed by Debian FTP Masters <ftpmas...@ftp-master.debian.org>
> (reply to Nicolas Mora <babelou...@debian.org>).
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Debian FTP Masters
> <ftpmas...@ftp-master.debian.org> (reply to Nicolas Mora
> <babelou...@debian.org>) by
> replying to this email.
>
>
> --
> 1001328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001328
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> Date: Wed, 08 Dec 2021 22:49:03 +0000
> From: Debian FTP Masters <ftpmas...@ftp-master.debian.org>
> To: 1001328-cl...@bugs.debian.org
> Subject: Bug#1001328: fixed in ulfius 2.7.7-1
>
> Source: ulfius
> Source-Version: 2.7.7-1
> Done: Nicolas Mora <babelou...@debian.org>
>
> We believe that the bug you reported is fixed in the latest version of
> ulfius, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed. If you
> have further comments please address them to 1001...@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Nicolas Mora <babelou...@debian.org> (supplier of updated ulfius package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmas...@ftp-master.debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Wed, 08 Dec 2021 17:27:55 -0500
> Source: ulfius
> Architecture: source
> Version: 2.7.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian IoT Maintainers
> <debian-iot-maintain...@lists.alioth.debian.org>
> Changed-By: Nicolas Mora <babelou...@debian.org>
> Closes: 1000989 1001328
> Changes:
> ulfius (2.7.7-1) unstable; urgency=medium
> .
> [Paride Legovini]
> * d/t/unit-test: run with ::1 in no_proxy (LP: #1945634)
> .
> [Nicolas Mora]
> * New upstream release (Closes: #1001328)
> * Fix testsuite fail with proxy (Closes: #1000989)
> Checksums-Sha1:
> bc04f875dd92b8b321e06eafaddcccce43e49f0e 2383 ulfius_2.7.7-1.dsc
> d90f0b97fa56eb843262917efdac6150f48e36cd 254242 ulfius_2.7.7.orig.tar.gz
> 43d07ea68eb09fd23392037c77dae9593b587f71 8136 ulfius_2.7.7-1.debian.tar.xz
> 45088fb5008d501b4eea6be734c8f4073a074ee3 9007 ulfius_2.7.7-1_amd64.buildinfo
> Checksums-Sha256:
> d8928e0c34c8fd2aae09c34f3609dcadb710ad6acdbabed850d15215d892fdc3 2383
> ulfius_2.7.7-1.dsc
> e39bfac8e6ef3ed1b2633d4d617f82549ed88b0f2bb0bc85928d1189c4d2e0de 254242
> ulfius_2.7.7.orig.tar.gz
> c57370a08744e1ef69e442f9ceacb1aa43affa74d921791e3557f70257311704 8136
> ulfius_2.7.7-1.debian.tar.xz
> e7370d60798c3d39a495d9b0672fc49ab9f82d8809d4c35501092a8d9bc49a48 9007
> ulfius_2.7.7-1_amd64.buildinfo
> Files:
> 4c422f579f4d516b21439b3d6e0c7fd8 2383 devel optional ulfius_2.7.7-1.dsc
> 79ddaefa4a340af5ff98c3578f3a6ea7 254242 devel optional
> ulfius_2.7.7.orig.tar.gz
> 5d1c4412d40793fd98f0854947b42aa6 8136 devel optional
> ulfius_2.7.7-1.debian.tar.xz
> 827592668a59abfaeb867a287d275a1e 9007 devel optional
> ulfius_2.7.7-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmGxMhYACgkQ/oITlEC9
> Irnd6RAApgAv0IL3ghLnZvDXx9vPi87yD/DFrV0siy+3dFYHVvXVpvGLV3Y+Waej
> WkW9hrrax/6NmAQrKRBJQAO4hMbE/jCSwokrmeMhTsq/Yh6dEF8YKUd/TCOd5uM0
> +rdg/mEt2k3izb6S0MH2HznZKRce4cFUVJoND2m9sN7HnXdHl7G96e1103REOtNA
> fhzS2MhPcXyChoADOdyfEK6IkLU7LfK2Av59uLazVZYBXLYzThIn0VKfZH1RL02A
> Bsw4kmEbDlM9DpMILR8tUIgv3RqjryG9pqmd7MQPDaIQaiV4MrO2vYCLxOnyNUbn
> 7I2nV8jYJlyw4IyJkNfjonaclIsOChUZNYl4N/id8JTgjxMjUNiDszjhFFZz9kdr
> yXqoSP++WoySHpVz7qm3oo27s/n+YVKZoI2jT+B9fwcMM/q7tZvVwnhhvLIx2f+4
> JXRPFbHSk/6sGv6dyjgkKRJspdMGZ/T+RtXuuyllkDfTOrVanUWDjZZmks5dmay4
> 2BHDFhmIY1B7G6mzxyUl8Zww6qzceG74B0lYhdlaLAzy/ONTFDQwU6NkaO82bRaP
> R5khmDs177eiL6iqMIMXtVkLDekJHz0LSciGHymfD03zpDVdY9ENNh0oYCiAURxe
> YYaz4mMdTMkNtgWEwvoBvEjaqF1BDWKL+VqAh8eA8fDT6ABP/es=
> =MPC8
> -----END PGP SIGNATURE-----
> Date: Wed, 08 Dec 2021 17:15:22 +0100
> From: Harald Welte <lafo...@gnumonks.org>
> To: Debian Bug Tracking System <sub...@bugs.debian.org>
> Subject: ulfius_url_{encode,decode} call malloc instad of o_malloc
> X-Mailer: reportbug 11.1.0
>
> Package: libulfius2.7
> Version: 2.7.6-1
> Severity: important
> Tags: patch upstream
> X-Debbugs-Cc: Nicolas Mora <git...@babelouest.org>
>
> Ulfius has the capability of applications registering their own memory
> allocation functions using o_set_alloc_funcs(), as described in API.md
> at
> https://github.com/babelouest/ulfius/blob/master/API.md#memory-management
>
> Applications such as osmo-remsim make use of this feature to introduce
> libtalloc as a tool to help locating memory leaks.
>
> However, from 2.6.0 up to 2.7.6 and current master, ulfius introduced
> a bug which renders this feature unusable: Some new code started to bypass
> the application-provided malloc-functio but directly call libc-malloc
> while passing that libc-malloc-allocated memory to the application-provided
> free-function. As every memory allocator expects to receive only memory it
> has allocated to its free-function, this immediately crashes every application
> with custom allocator functions.
>
> The upstream bug report is at https://github.com/babelouest/ulfius/issues/206
>
> The upstream pull request is at https://github.com/babelouest/ulfius/pull/207
>
> Debian will need to patch/update the ulfius packages for bullseye + sid.
> Debian buster is not affected, as it still ships ulfius 2.5.x which is prior
> to introducing the bug.
>
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers unstable-debug
> APT policy: (500, 'unstable-debug'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads)
> Kernel taint flags: TAINT_DIE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libulfius2.7 depends on:
> ii libc6 2.32-5
> ii libcurl3-gnutls 7.79.1-2
> ii libgnutls30 3.7.2-2
> ii libjansson4 2.13.1-1.1
> ii libmicrohttpd12 0.9.73-4
> ii liborcania2.2 2.2.1-1+b1
> ii libyder2.0 1.4.14-1
> ii zlib1g 1:1.2.11.dfsg-2
>
> libulfius2.7 recommends no packages.
>
> libulfius2.7 suggests no packages.
>
> -- no debconf information
> From a2951c32475a79fccfaa06b7c3c36297c6f6cf5b Mon Sep 17 00:00:00 2001
> From: Harald Welte <lafo...@osmocom.org>
> Date: Wed, 8 Dec 2021 16:57:12 +0100
> Subject: [PATCH] u_request: Don't use malloc, but always o_malloc
>
> Allocating memory using malloc, but then free'ing it using o_free will
> not work for anyone using a custom memory allocator. The allocations
> and free's must either both go to libc, or both via the custom
> allocator; one cannot allocate one way and release another.
>
> Closes: #206
> ---
> src/u_request.c | 2 +-
> src/ulfius.c | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/u_request.c b/src/u_request.c
> index 385572b..8203c5e 100644
> --- a/src/u_request.c
> +++ b/src/u_request.c
> @@ -143,7 +143,7 @@ static char from_hex(char ch) {
> */
> static char * url_decode(const char * str) {
> if (str != NULL) {
> - char * pstr = (char*)str, * buf = malloc(strlen(str) + 1), * pbuf = buf;
> + char * pstr = (char*)str, * buf = o_malloc(strlen(str) + 1), * pbuf =
> buf;
> while (* pstr) {
> if (* pstr == '%') {
> if (pstr[1] && pstr[2]) {
> diff --git a/src/ulfius.c b/src/ulfius.c
> index 0d7da36..8a0caa6 100644
> --- a/src/ulfius.c
> +++ b/src/ulfius.c
> @@ -1842,7 +1842,7 @@ static char to_hex(char code) {
> char * ulfius_url_encode(const char * str) {
> char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
> if (str != NULL) {
> - buf = malloc(strlen(str) * 3 + 1);
> + buf = o_malloc(strlen(str) * 3 + 1);
> if (buf != NULL) {
> pbuf = buf;
> while (* pstr) {
> @@ -1876,7 +1876,7 @@ char * ulfius_url_encode(const char * str) {
> char * ulfius_url_decode(const char * str) {
> char * pstr = (char*)str, * buf = NULL, * pbuf = NULL;
> if (str != NULL) {
> - buf = malloc(strlen(str) + 1);
> + buf = o_malloc(strlen(str) + 1);
> if (buf != NULL) {
> pbuf = buf;
> while (* pstr) {
> --
> 2.34.1
>
--
- Harald Welte <lafo...@gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
