[Date Prev][Date Next] [Chronological] [Thread] [Top]

free(NULL) atexit (ITS#1014)

Full_Name: Mike Schiraldi
Version: 2.0.7
OS: RHL 7.0
Submission from: (NULL) (

This may be a bug in glibc. But i mention it on the off chance OpenLDAP is using
glibc incorrectly.

It appears that some md5 code is registering a function via atexit() which will
attempt to free NULL. For some reason the program doesn't die when this happens;
perhaps it has something to do with the fact that it's already exiting. Anyway,
here's the skinny:

$ cat test.c
int main()
  return 0;

$ cat mem.c
#include <stdio.h>

free(void * ptr)
  if(ptr == NULL)
    fprintf(stderr, "free() called on NULL pointer!\n");

$ gcc test.c -llber -lresolv mem.c
$ ./a.out

[Note that there was no problem since -lldap was omitted. Now watch...]

$ gcc test.c -lldap -llber -lresolv mem.c
$ ./a.out
free() called on NULL pointer! 
$ gdb a.out


(gdb) break fprintf
Breakpoint 1 at 0x80484b0
(gdb) r
(gdb) bt
#0  fprintf (stream=0x401809c0, 
    format=0x8048680 "free() called on NULL pointer!\n") at fprintf.c:31
#1  0x80485f7 in free ()
#2  0x402849ce in free_mem () at md5-crypt.c:263
#3  0x4028400d in __do_global_dtors_aux () from /lib/libcrypt.so.1
#4  0x40286d8d in _fini () from /lib/libcrypt.so.1
#5  0x4000e182 in _dl_fini () at dl-fini.c:170
#6  0x40091f56 in exit (status=0) at exit.c:57
#7  0x4007eb6e in __libc_start_main (main=0x80485cc <main>, argc=1, 
    ubp_av=0xbffffae4, init=0x8048460 <_init>, fini=0x804863c <_fini>, 
    rtld_fini=0x4000df24 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:111

The relevant lines of md5-crypt.c:

static void
__attribute__ ((__destructor__))
free_mem (void)
  free (buffer);

So this could be a glibc bug -- maybe there should be a if(buffer != NULL) in
there. What do you think?