Bugs in saned

Ingo Wilken (Ingo.Wilken@Informatik.Uni-Oldenburg.DE)
Fri, 12 Mar 1999 21:44:42 +0100 (MET)

Hi!

Out of curiosity, I tried to access my scanner backend (st400) with the
net interface. That was a good thing, because it triggered a bug in my
backend, but after fixing that, there was still a minor problem: After
scanning was complete, saned would not print it's "exiting" message to
syslog. After some investigating, I found a bug in saned:

In get_free_handle(), saned mallocs/reallocs a block of handles, but
never initializes this memory. In quit(), it then runs through the
entire block, trying to close the handles. If this block contained some
garbage at allocation, it might call sane_close() on random memory.

The fix is simple. After the if-malloc-else-realloc sequence at the
end of get_free_handle(), add a line:
memset(handle+last_handle_checked+1, 0, ALLOC_INCREMENT*sizeof (handle[0]));

I think there's also a race condition with the watchdog alarm timer:
process_request() blocks until it receives a request, then calls quit()
if it is SANE_NET_EXIT (or SANE_NET_INIT/SANE_NET_AUTHORIZE). quit() now
calls sane_close() on all file handles. If the watchdog timer happens to
run out at this time, it calls quit() itself, triggering a second run,
which calls sane_close() with invalid handles.

Regards,
Ingo

--
Source code, list archive, and docs: http://www.mostang.com/sane/
To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com