Patch Name: PHCO_20098 Patch Description: s700_800 10.20 libc cumulative patch Creation Date: 99/10/21 Post Date: 99/10/28 Repost: 00/12/29 The patch documentation was modified to remove references to a fix that is not included in the patch. The fix for the future error generated by the ANSI C++ compiler due to two header files defining MAXINT is not included in the patch. The references to this fix were removed from the patch documentation. The documentation was also modified to provide additional details in the Defect Description on the two new APIs provided in to allow programmatic access to resolver(3N) retransmissions or timeouts. Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: N/A Filesets: OS-Core.C-MIN OS-Core.CORE-SHLIBS ProgSupport.PROG-MIN ProgSupport.PROG-AUX Automatic Reboot?: No Status: General Superseded Critical: No (superseded patches were critical) PHCO_13189: CORRUPTION PHCO_8108: CORRUPTION Path Name: /hp-ux_patches/s700_800/10.X/PHCO_20098 Symptoms: PHCO_20098: printf() is not rounding but truncating. For example, printf("%lf\n",0.99924950); is printed as 0.999249 but it should be rounded to 0.999250. JAGab71648; SR 8606104252 strncat will copy extra characters under some circumstances JAGab74949 ; SR 8606106102 strncat will dump core if source string is next to page boundary and the next page is unreable and the programmer mis-stated the string length bigger than the buffer JAGaa05163 ; SR 4701389700 strncmp will dump core if one null terminated string is next to a page boundary and the programmer mis-stated the string length bigger than the buffer. JAGab75446 ; SR 4701389700 The default resolver configurable timeout is large (5 seconds). VUE may take long time to come up when the system is not connected to network. JAGaa27056, JAGaa27175; SR 5003410290, 5003424531 PHCO_19181: With environment variable LANG set to any non C locale, /usr/bin/sed command loops internally when the command "cat | sed 's/*$//g'" is run. The input file includes following pattern. [1 or more bytes single characters][4 or more spaces]\n [1 or more bytes single characters]/[1 or more bytes single characters] It's important that there are four or more spaces in the last of first line and there is a / (slash) in the second line. This pattern causes the problem. For example, most simple example is following. 00 0/0 There are four spaces after "00". JAGab24447; SR 1653308684 libc sigaction() wrapper can core dump when linked with libcma. JAGab25112; SR 4701428805 PHCO_18644: Strrstr(s1, s2) sometimes claims that a match is found when actually there is no match. Consider an example. s0 = "ABCDEFG"; s1 = s0; s1 ++; /* s1 points to "BCDEFG" */ s2 = "ABCDEFG". Now strrstr(s1, s2) returns "ABCDEFG", which means that a match is found. It should have returned NULL. JAGaa41142; SR 5003436923 Customers will not be able to use services like ftp, telnet etc. under NIS environment. JAGab20818; SR 5003465781 PHCO_18338: netgroup lookups failed when NIS is not used. JAGab13005; SR 5003459693 When calling strncmp with one valid string pointer, a null pointer and a length of zero, strncmp will return the first character or the negative of the first character of the valid string instead of an expected zero. SR 5003463463 NaN and Infinity were printed incorrectly in case of long double. JAGaa86217 .005 gets printed as 0.00 in %.2f even though its intern. rep. is > .005 JAGaa72895 getxxbyyy commands leave reserved UDP ports created by NIS opened. JAGaa31864 JAGaa42352; SR 5003422337 5003439299 If the system is configured for NIS and a process with uid as "0" is run, the libc API's getpwnam, getgrnam, getpwuid, getgrgid, initgroups() ends up calling yp_match() to query NIS. For a process running as uid==0, the UDP port aquired when the yp_match call is made is in the reserved range and the port will remain blocked for the entire duration of the process. If one has many processes(greater than the fixed number of reserved UDP ports) each of which is holding a reserved UDP port open, the system runs out of available reserved UDP ports and because of this, NFS stops working properly. JAGab12846; SR 5003459735 PHCO_18018: regexec() finds for "." in empty string "" with locales other than C. JAGaa53114; SR 4701413906 When attempting to assemble using a 9.X assembler the assembler complains about unknown syntax. JAGaa62460 When the buffer is next to a page boundary and the next page is unreadable strncmp can core dump. Also when using -1 as a count strncmp did not treat the value as an usigned integer. JAGaa24069 JAGaa01218 If the comparison character for memchr is a negative integer memchr will not find the match. JAGaa93243 strptime(3C) returned NULL when processing the date string generated by the command "date +%x" for locales zh_TW.ccdc and zh_TW.big5. JAGaa08262 JAGaa47278 1. ctype(3C) routines are too slow and the macros have too many instructions because they contain function calls. 2. The performance of singlebyte applications using the ctype routines needlessly degrades in multibyte locales. 3. strcasecmp(3C) and strncasecmp(3C) are too slow compared to other vendors because they rely on _tolower(3C) which is a macro mapped to a function call. JAGaa43050 JAGaa05164 The libc memory allocation routine calloc is likely to cause memory corruption and possibly even crash [Bus Error(core dumped)] when memory is allocated with small block allocation enabled. JAGab03796; SR 5003457887 PHCO_17381: The check for whether the root directory has been reached in getcwd(3C) was not done correctly in the case of a Loop Back File System (LOFS). JAGaa62640 JAGaa86038 JAGaa86039; SR 4701414862 For a week which contains days in the previous year and the new year, strftime(3C) with %V returns two different week numbers for days in the previous year and those in the new year. In addition, if there are less than 4 days in the new year, it always returns 53 as the week number for the days in the new year, regardless of what the last week of the previous year is. JAGaa93337 JAGaa93338 JAGaa93339; SR 1653245415 when use NFS export -access option with hostnames in /etc/netgroup groups, the hostnames are treated as case sensitive. This is inconsistent in the way that hostnames that are entered in DNS servers. JAGaa24139; SR 5003407569 The asctime() does not work for years >= 2100. JAGaa55561 Scopeux, glance, and gpm performance tools fail with a bus error; a call to getpwuid() in an NIS environment results in the core dump intermittantly. JAGaa57250 PHCO_16723: When a process is in the kernel and receives a self-sent SIGABRT signal via abort(3C), the contents of the callee save registers are undefined. This causes DDE unable to unwind the core file generated by abort(3C). JAGaa43927; SR 5003443143. mktime() does not seem to adjust for change in TZ variable. JAGaa44810; SR 5003444117 bdf gives erroneous results if the file system is vxfs. DSDe443933; SR 1653252635 Excessive locking of /etc/mnttab in the getmntent(3X) family of APIs can cause a deadlock. JAGaa44899 memchr() perf improvement: memchr() does not perform well when static branch prediction is enabled. memchr() causes stack overflow problems for large values of length. memchr does 64 bit compare operations on 32 bit operands. JAGaa13890, JAGaa41144, JAGaa41248 mktime(3C) sets tm_isdst to 0 when daylight savings is in effect for dates past Tuesday January 19 03:14:07 UTC 2038. Since strptime(3C) obtains this value from mktime(), it also returns the 0 for tm_isdst when daylight savings is in effect for those dates. JAGaa16206, SR 4701405688, JAGaa23230 SR 4701405696, JAGaa23233 SR 4701405720 strptime() does not check for dates not within the supported range of Friday December 13 20:45:52 UTC 1901 and Friday December 31 23:59:59 UTC 9999. JAGaa23231 SR 4701405704, JAGaa23232 SR 4701405712 PHCO_16303: When the length of the environment variable LANG is longer than 1024 (MAXPATHLEN), catopen(3C) in /usr/sbin/lanadmin caused coredump. JAGaa01290 Cast of one of the internal macros is incorrect. JAGaa13917 setlocale() performance is unacceptable for applications that need frequent calls to this function. JAGaa01275; SR 1653242669 setlocale() 9.X compatibility is broken for restore operation. JAGaa12729 setlocale() leaks memory when used to switch bwtween some multi- and single- byte locales JAGaa13318 When/if there's a possibility to introduce a new iconv conversion table whose size is larger than 2^15 * 8 bytes, iconv() could fail. JAGaa14162 PHCO_16302: strcoll wscoll of strings with collating elements JAGaa18768, JAGaa18769 (1) strptime(3C) does not support dates beyond January 19 UTC 2038 in 32-bit HP-UX. (2) strptime() does not fill in tm_wday, tm_mon and tm_mday when supplied both the year and day of the year. (3) strptime() does not treat invalid input dates and inconsistent input as errors. (4) strptime() does not handle %E correctly in the C locale. (5) strptime() returns incorrect value for tm_yday and tm_wday if tm_sec and/or tm_min are initialized to -1 when the %j conversion specification is used. JAGaa06544; SR 5003416719 strptime() treats Feb 29 2000 and March 1 2000 as the same day if the %A (or %a) and %U conversion specifications are used. JAGaa13581 JAGaa13581; SR 1653269738 PHCO_15808: (1) strptime(3C) does not support dates beyond January 19 UTC 2038 in 32-bit HP-UX. (2) strptime() does not fill in tm_wday, tm_mon and tm_mday when supplied both the year and day of the year. (3) strptime() does not treat invalid input dates and inconsistent input as errors. (4) strptime() does not handle %E correctly in the C locale. JAGaa06544 PHCO_15807: ypcat -k command core dumps when rpc is not running properly INDaa30924; SR 5003423871 Unable to get a stack trace if failing in memmove or strcat JAGaa05200 Strncpy(), when used with large number of copy counts, is not as fast as expected on PA2.0 systems compared to other memory/string assembly routines. JAGaa10942 getenv runs very slow for multi-byte languages JAGaa05075; SR 1653259333 /usr/include/regexp.h does not compile with aCC (ANSI C++). JAGaa08066; SR 1653261131 The CONCAT macro in inttypes.h do not work correctly for C++ applications. JAGaa00515; SR 5003348011 C++ applications that attempt to use __toupper() and/or __tolower() fail to compile because the function prototypes for them are not available. JAGaa05224, JAGaa06023; SR 4701389932 4701390138 getcwd(3C) fails with ENOENT if the root file system is a loopback file system (LOFS) after a chroot. JAGaa11165, JAGaa01441, JAGaa05219, JAGaa06021; SR 4701394395 4701382374 4701389916 4701390120 The getdate() function does not parse the template file correctly when the %r field descriptor is used in at least one of the templates. This leads to the situation that a non-zero value for getdate_err is returned even when the template file contains a matching template. In addition, getdate() does not correctly handle the case where %I is used in a template but %p is not. JAGaa00429, JAGaa10165, JAGaa10166, JAGaa10167, JAGaa10168, JAGaa05222, JAGaa10164, JAGaa10163, JAGaa08067, JAGaa10158, JAGaa12392; SR 4701392977 4701392969 1653261081 4701392928 4701394650 C++ applications that call setspwent(), endspwent(), putpwent(), setspwent_r() and/or endspwent_r() do not compile because the function prototype for those functions are not available. In addition, alsgtty in alarm.h is defined to be of a non-existent type. JAGaa00526; SR 1653219691 NT_MAX and ULONG_MAX divided by a signed integer yields 0 in K&R mode. JAGaa01184 getxxbyyy commands leave reserved UDP ports created by NIS opened. INDaa30842; SR 5003422337 PHCO_15465: bsearch() performance is bad. JAGaa01793 strncmp() could be faster for short strings. JAGaa08219 strncpy() is not as fast as expected as a performnce critical routine. JAGaa08100 A program that has installed a SIGPIPE handler using sigaction() and calls syslog(), aborts after the second SIGPIPE. JAGaa08180 PHCO_15153: Commands dump core if LC_COLLATE=nonC and LC_CTYPE=C. JAGaa01685 scandir(3C) causes core dump. JAGaa01938; SR 5003411355 When PHCO_14891 or PHCO_14868 is installed Purify reports errors and problems with strchr(). JAGaa07513 getmntent(3X) API causes application programs to occasionally core dump with SIGSEGV Memory fault for larger sizes of /etc/mnttab. JAGaa04833; SR 5003415513 PHCO_14891: Any application which calls the iconv() function could encounter a serious performance problem. JAGaa04914; SR 4701389551 Cu over datakit, specifically, datakit CommKit 3.20.01, fails. A "cu " hangs. JAGaa04785; SR 4701388215 PHCO_14868: Threaded applications calling gets() may hang after doing another i/o operation on stdin. JAGaa01903; SR 5003394833 When Null pointer was used as argument for fputs and puts, the behavior is inconsistant between pre-10.20 and 10.20 onward releases. JAGaa01511 Calling openlog() with a very long ident string causes syslog()to dump core or create unexpected/undefined results. JAGaa01271 ftw(3C) causes a process to run out of file descriptors. Depending on the application, the user could see a message similar to the following: ftw failed: Too many open files JAGaa00531; SR 5003378869 when LANG=japanese, the sed command, s/$/x/, would not add the character to the end of lines. JAGaa01206, JAGaa01953, JAGaa01952 No performance gain in libc by running application on PA2.0 or PA1.1 m/c. JAGaa02105; SR 4701388462 9.04 binary executable that calls 'step' regular expression API dumps core when run on 10.20 with libc patch PHCO_13399 or newer. DSDe442382; SR 5003413021 A patch for the dbm libraries (libdbm.1 and libndbm.2) and libc has been created to increase performance of dbm_nextkey(). libdbm and libndbm are empty, and any dbm routines are resolved from libc. JAGaa01111, JAGaa1150; SR 5003392126 PHCO_14511: strcoll() core dumps when LANG is set to C and LC_COLLATE is set to a different value(e.g. swedish.) DSDe442035 Customers using their own versions of malloc() and free() would notice free() being called twice on the same block of memory while using glob(). JAGaa01494 memccpy() doesn't detect the value of 0 at address 0. JAGaa01280 regcomp() dumps core, instead of returning error, when dealing with some non-recognizable expression. JAGaa01396, JAGaa01496, JAGaa01497 strptime(3C) does not calculate the week number correctly when the first day of the year is a Sunday (for %U and %W) or a Monday(for %W). JAGaa00976 SR 1653231456 PHCO_14199: When the customer program containing calls to endpwent() is run in NIS environment, a memory leak is observed. After several days of running, the program is unable to continue due to an out-of-memory condition. JAGaa01175, SR 5003395673. The problem was introduced in cumulative libc patch PHCO_13029. Applications that 1) call fork() and 2) implement their own version of the malloc functions will not link with libc.a. For example, the link editor would print the following messages when an application (mymalloc.c), that implements its own version of malloc() and free(), is compiled: cc: Entering Link editor. /usr/ccs/bin/ld: Duplicate symbol "malloc" in files mymalloc.o and /usr/lib/libc.a(malloc.o) /usr/ccs/bin/ld: Duplicate symbol "free" in files mymalloc.o and /usr/lib/libc.a(malloc.o) /usr/ccs/bin/ld: Found 2 duplicate symbol(s). JAGaa01398. On some methods the first call to the API iconv_close(3C) on a conversion descriptor deallocates the codesets for all the opened conversion descriptor with the same "fromcode" and "tocode" arguments. In other words, if there are two descriptors by calling iconv_open() twice with the same "fromcode" and "tocode", upon closing the first descriptor any operation on the second descriptor will cause a core dump. JAGaa00931 JAGaa00932. PHCO_13777: When the length of the environment variable LANG is longer than 1024 (MAXPATHLEN), catopen(3C) caused core dump. DTS JAGaa01290. When users with an expired password tries to log in on the console, they get usage message from the passwd command: "usage: passwd [-F file] [name]". DTS JAGaa00533, SR 5003380394. When more than 435 processes are registered with portmap(3c) and a request for PMAPROCDUMP is made via UDP, portmapper hangs. SR 1653236562, DTS INDaa29151. PHCO_13775: After a call to the malloc(3C) api which fails with an ENOMEM error, in some corner cases with certain mallopt(3c) smaller allocations subsequently return errors even when there is enough memory available for the allocation. DTS #: JAGaa01179 Causes automountd to dump core when it tries to mount from an off-line server. DTS #: INDaa29523 This patch is part of the 10.20 ACE 2 bundle which adds networking enhancements to 10.20. New networking features supported in ACE 2 include NFS Version 3.0, AutoFS and CacheFS. DTS #: DSDe441184, STARS #: 4701378117 NIS map transfer fails due to transfer timeout on slave as a direct result of an inefficient method of scanning a sparse DBM database. DTS #: JAGaa01111 JAGaa01150, SR # : 5003392126 PHCO_13626: 10.20 strcoll performance is bad compared to 9.x for spanish locale and other single byte locales. DSDe436357, SR 1653214346. Calling perror(string) with the length of string plus the message larger than 1024 will cause coredump. DTS # JAGaa01178, JAGaa01166. Telnet connection requests hang but connect if tried again. INDaa29426, SR 1653242040. PHCO_13399: Regular expressions pattern matching fails for UTF8 locales. As a result of this, commands like grep and ls will not be able to match patterns written for UTF8 correctly. JAGaa01146, JAGaa01147, JAGaa01151. PHCO_13282: The fix for SR 5003392126, DTS JAGaa01111 caused the following symptom: If dbm_nextkey() is called after a datum with a NULL dptr field has been returned from either dbm_firstkey() or dbm_nextkey(), an infinite loop occurs. This fix was rolled back. JAGaa01185. PHCO_13189: The API getlogin() returns invalid results for user names of 8 characters in some cases. JAGaa01154, SR 4701374512. The wcswidth(3c) API depends on methods/locales to return a value 0 for an empty wide string. Sometimes a locale would return a value other than 0 for an empty wide string. JAGaa00448, SR 4701374470. PHCO_13029: NIS map transfer fails due to transfer timeout on slave as a direct result of an inefficient method of scanning a sparse DBM database. SR 5003392126, DTS JAGaa01111. The performance of strcoll is bad for multi-byte locales when compared to 9.x performance. SR 1653192724, DSDe432158. PHCO_12673: Alternate regular expressions with anchored non-first subexpression fail to match if don't use parenthesis. DTS# JAGaa00523 PHCO_12448: The memmove(3C) api is slow when moving data to the right, as in memmove(c+1,c,249). DTS# DSDe433981, JAGaa00518, SR# 5003355867 The last patch PHCO_12128 breaks the correct functionality of spanish locale collation for strcoll and strxfrm. This patch fixes that problem. DTS# JAGaa00792. Signal mask is not restored after calling free when mallopt(M_BLOCK,0) has been set. Only happens on multiple calls to free for the same pointer. DTS# JAGaa00773, JAGaa00489, DSDe424072; SR# 1653228304 1653119560 Non-root users of rlogin get the error message: "rlogind: /dev/pts/1: Permission denied." if configured in /etc/inetd.conf with the -l option. DTS# INDaa28226, SR# 4701364653 PHCO_12128: NIS netgroups are searched recursivly causing poor performance when netgroups are nested. DTS # INDaa27824, SR# 5003377606. The API seekdir() fails to position the next readdir() operation for certain nfs directory. DTS# DSDe431565 The customer using strcoll(3c) with single byte locale and experiencing performance problem. DTS# DSDe436357, SR# 1653214346 In a customer application, regcomp(3C) followed by regexec(3C) returns an unexpected "no match" value when the locale is set to non-C locale. DSDe437259, SR 1653215186. Output directed to stderr may be corrupted when an application opens files for non-buffered i/o by calling setbuf() with the _IONBF flag. The symptom is likely to manifest only in multi-threaded applications. DSDe437356. No reported symptoms - this is a proactive patch. DSDe436555. PHCO_11315: The customer using Spanish locale ( or any locale with 2 to 1 mapping) along with any patch which includes patch number PHCO_10027 will see incorrect colla- tion. Other customers will never see this problem. DTS # DSDe436983, SR 1653214346. User applications calling catopen() may run out of file descriptors. DTS # DSDe435212, SR 1653208355. PHCO_11004: In multi-threaded application, if one thread is waiting on a read which won't complete (e.g., stdin or a stalled pipe) and another calls thread calls exit() or abort, the application would hang. DTS # DSDe435666, SR 1653211490. The group permissions of the parent directory of the home directory does not have to be set for "all" for the ".rhosts" check to succeed. The "rhosts" check changes the effective group id to the real group id before opening ".rhosts" file. Also, ruserok() did not properly parse the username in hosts.equiv. DTS # INDaa22946 INDaa21768; SR # 5003297861, 5003274753. User applications calling catopen() may run out of file descriptors. DTS # DSDe435212, SR 1653208355. Memory leak in getservbyname. DTS# INDaa26623, SR# 5003358762. strcat() may core dump when the last word of the source string is at the page boundary. SR 5003302299, DSDe434239, DSDe427804. For regcomp/regexec, "^ *$" and similar patterns in non-C locales will incorrectly match lines with newlines in them. ^$ pattern and empty strings won't match when they should in non-C locales. A pattern with ^ in the C-locale and with REG_NEWLINE set will not consider newlines further down the string. DSDe434345, DSDe434746, DSDe434752; SR 1653204651, SR 4701349118. February 29, 2000 is rejected as a valid date by the getdate(3c) library call. DSDe434241, DSDe430766; SR #s 1653203026, 4701334763. The getdate(3c) would set getdate_err to "no matching template entry" (7) instead of "invalid input specification" (8) for dates outside the range of the time_t data type. This has been fixed. DSDe434270 PHCO_10027: Unaccaptable degradation of collation using swedish language. DSDe432108, SR1653192161. Regular expression pattern ".*" behaves incorrectly in Japanese locale. DSDe433097. The memcmp(3c) may core dump at page boundary. DSDe433356, SR4701344721. Applications built archived on release 10.20 will use the wrong locale libraries for the C locale if they are executed on a future HP-UX release. The result is unpredictable. Existing applications built with the archived libc in 10.20 need to be rebuilt with a libc that contains this patch if they are to be be moved forward to a post-10.20 HP-UX release to ensure that they use the correct locale libraries for the C locale on the new release. Existing 10.20 applications built shared do not have to be rebuilt with the patch to be migrated to a future HP-UX release. DSDe432519. PHCO_9577: When customer runs command: setprivgrp -g LOCKRDONLY, the NIS system hangs. INDaa24394, SR5003320648. This fix was intended for PHCO_8979, but was inadvertently left out. PHCO_8979: The libc routine ulckpwdf always returns -1. As a result, the /etc/.pwd.lock can not be unlocked. DSDe431142, SR5003338038. Memory leak in globfree(). DSDe431962, SR5003344192. If given weekday is the same as today and within the last 7 days of the month, getdate() returns an Error 8. DSDe431143, SR1653185629. In non-C locales, non-blank lines would match pattern ^$ for regcomp(). DSDe431505 DSDe432126. User applications hit a limit of 1023 for number of sets in a message catalog. DSDe431644, SR5003341271. Call to tempnam(), mktemp() and mkstemp() sometimes returned a dangling symlink as the name for a temporary file. SR1653189134. The strptime and getdate calls did not handle two digit year specifications in the same manner. This has been addressed by providing strptime and getdate with an alternative behavior for dealing with two digit year specifications. In order to obtain the alternative behavior, which interprets two-digit year values in the range 66-99 to refer to the twentieth century and values in the range 00-68 to refer to the twenty-first century, the executable must link with the supplied object file, /usr/lib/year2000.o. Existing executables will continue to get the compatible behavior. DSDe430766, SR4701334763. If the ndots resolver option is configured in /etc/resolv.conf and res_init() is directly or indirectly called, a memory leak will occur. Applications using gethost*() API's or directly using resolver API's (res_*()) in a DNS environment are open to this problem. INDaa23823. The getdate() routine fails with a signal 11 segmentation violation when accessing a datemask file that contains a very large number of alternative date formats. DSDe429925, SR1653176883. PHCO_8764: Random truncaton of strings with strcat due to fix attempted in PHCO_8108. PHCO_8108: Significant performance degradation of regular expression processing in 10.X compared to 9.X. Affects awk, grep, sed, etc. Some printf variants available in patched 10.X systems weren't exported in 10.20. getcwd returns EINVAL when a negative buflen is passed in. memchr may core dump when char is not found. Sometimes strcat would attempt to access an unmapped page of memory. Defect Description: PHCO_20098: printf() not rounding but truncating. printf("%lf\n",0.99924950); is printed as 0.999249 but it should be rounded to 0.999250. Resolution: To fix this the magic number #define ROUND_MAGIC 4503599627370497.0 is changed to #define ROUND_MAGIC 4503599627370496.0 in the file ecvt.c. The common accounting rule is to round a 5 to the nearest even number. This means that the output of printf("%lf\n",0.99924950); should be 0.999250 . JAGab71648; SR 8606104252 When the terminating count is less than the null byte and under some alignment conditions strncat will copy the extra characters. Resolution: Made logic changes to assembly coded routines. JAGab74949; SR 8606106102 When the string length is mis-stated to be longer than it actually is and the source string terminates on a page boundary with the next page unreadable strncat will core dump. Resolution: Made logic changes to assembly coded routines. JAGaa05163; SR 4701389700 When the string length is mis-stated to be longer than it actually is and one string is on a page boundary and the next page is unreadable strncmp will core dump. Resolution: Made logic changes to assembly coded routines. JAGab75446 ; SR 4701389700 When a system is out of network, and the hostname lookup is configured for dns,it takes long time trying to resolve the hostname before it falls back to files. Resolution: Two new options have been added to make the retrans and retry values configurable. These 2 values can be set in resolv.conf as follows. retrans retry Or these values can be set using environment variables also. RES_RETRANS RES_RETRY Two new apis are provided to provide programmatic access to resolver(3N) retransmissions or timeouts: get_resfield (int field, void *value, int len); set_resfield (int field, void *value); field - is either RES_RETRANS or RES_RETRY. value - is the value to be set or obtained. len - is the sizeof(value). The order of precedence is as follows. 1. environment variable 2. resolv.conf 3. API. JAGaa27056, JAGaa27175; SR 5003410290, 5003424531 PHCO_19181: when the command " cat < filename> | sed 's/ *$//g' " is run on command line with the file containing one line with spaces and the second empty line, the sed command loops internally for non-C locale.This is because the regexec() which is used by sed for pattern matching returns match found for the empty string while searching for the space. JAGab24447; SR 1653308684 libc sigaction() wrapper can core dump when linked with libcma JAGab25112; SR 4701428805 PHCO_18644: The above problem is caused by the fact that when characters in s2 matches characters in s1, the algorithm keeps going backwards to find if more characters match without checking if the beginning of s1 is reached. Resolution: A check is added to make sure that when the beginning of s1 is reached, the search stops. JAGaa41142; SR 5003436923 This problem occurs only under NIS environment. The getXXbyYY calls use yp_match to bind to NIS domain. The sockets are left open even after the return from libc call. When a root process invokes the getXXbyYY libc call, the port allocated is within the range 512-1024. If large no. of processes are run this may lead to a scarcity of the ports in this range. To overcome this an if condition was added which will free the ports if the process is a root process. Unfortunately one of the if-else clause was put in a wrong place, and so when a non-root user invokes the libc call under NIS setup, the return value is always NULL. Hence the services like ftp, telnet were breaking. Resolution: Fix the problem by putting the if-condition in the correct place. JAGab20818; SR 5003465781 PHCO_18338: NIS - netgroup searches returns NOTFOUND when it should return UNAVAIL. Resolution: Code changes to let netgroup lookup returns UNAVAIL instead of NOTFOUND when the service specified in /etc/nsswitch.conf is not up. JAGab13005; SR 5003459693 When calling strncmp with one valid string pointer, a null pointer and a length of zero, strncmp will return the first character or the negative of the first character of the valid string instead of an expected zero. Resolution: Change the sequence of condition testing in strncmp. SR 5003463463 Running the following program: main() { union { unsigned long long dbl[2]; long double ldbl; } u; u.dbl[0] = 0x7FFFF80000000000ULL; u.dbl[1] = 0; printf("%10.4Le\n", u.ldbl); } produces the output: N.aN00e-01 which is incorrect. Resolution: Code is added to handle NAN and Infinity in case of long double. JAGaa86217 .005 gets printed as 0.00 in %.2f even though its intern. rep. is > .005 Resolution: The magic number used for rounding is changed. JAGaa72895 All the socket calls left the sockets open even after the data was transferred thus resulting in the blockage of all the reserved UDP ports. This SR is requesting that all libc calls using yp_match(), also release the UDP ports allocated by calling yp_unbind() in all cases where the yp_match is used. Again, the getXXbyYY() calls (ie gethostbyaddr() etc) only call yp_unbind when the return value from yp_match is zero indicating a successful NIS query. They need to call yp_unbind regardless of the yp_match return value. Resolution: yp_unbind call has been called to free up resources opened by yp_match calls. JAGaa31864 JAGaa42352; SR 5003422337 5003439299 getpwnam(3C) as root w/ NIS does not release reserved port when done Resolution: Now whenever the above mentioned API's are called by a process with uid==0, yp_unbind() is called to free the reserved port. JAGab12846; SR 5003459735 PHCO_18018: regexec() matches "." in empty string "" with locales other than C. Resolution: regexec(3C) was matching a "." in an empty string "". The problem was due to an out-of-bound array access without checking the end-of-string. The changes made are only to make sure that the accesses are valid. JAGaa53114; SR 4701413906 Some PA2.0 assembler syntax was used in the 1.1 portion of the code. The current 11.X assemblers accept this syntax and emit the correct op codes for 1.1 machines. Resolution: changed syntax to conform to PA1.1 syntax. JAGaa62460 With unaligned data strncmp would always read one word ahead. Resolution: Changed the algorithm to limit reads to passed buffer size and to handle large unsigned numbers that could be interpreted as signed values correctly. JAGaa24069 JAGaa01218 memchr() was not treating the match character as an unsigned character. Resolution: When comparing a negative integer on a short string memchr did not convert the negative integer to an unsigned char. JAGaa93243 strptime(3C) was unable to process format strings containing "%EY" or "%EC%Ey" directives and returned NULL. These directives are used by the era date format in Chinese locales zh_TW.ccdc and zh_TW.big5. The era date format (and this defect) are only in the 2 above locales supplied by HP. The failure is not caused by a particular date. Resolution: A correct algorithm is used to parse the %EY or %EC%Ey directive. JAGaa08262 JAGaa47278 1. ctype(3C) routines are too slow and the macros have too many instructions because they contain function calls. 2. The performance of singlebyte applications using the ctype routines needlessly degrades in multibyte locales. 3. strcasecmp(3C) and strncasecmp(3C) are too slow compared to other vendors because they rely on _tolower(3C) which is a macro mapped to a function call. Resolution: To allow ctype routines to always perform table lookup, code populating the tables pointed into by __SB_masks, __SB_upper, and __SB_lower has been moved from __ctype_init() in NLSsetup.c to update_locale() in setlocale.c Now __SB_* pointers are *never* NULL and are used in all locales by ctype and wctype routines for characters codes from -1 through 255. Key to this change is the X/Open and HP specification that the return value from a ctype API is valid only for ints from -1 through 255. If the API receives any other argument value, its behaviour is undefined. This fact also entailed a change to atol.c (for atoi() and atol()) to make sure sign extension of a char converted to an int does not corrupt an argument passed to isdigit(). Backward compatibility forces us to limit these changes to internal libc use, since an application built with the new ctype.h and new libc but running with an older libc will crash. As a safeguard, all changes to ctype.h have been placed within #ifdef _SB_TABLE_LOOKUP and make.defines has been modified to strip those changes before a ctype.h is built for shipping (in pub_hdr/). Other files have been changed to ensure the faster ctype macros are always used in libc. JAGaa43050 JAGaa05164 calloc() may cause an application to crash due to memory corruption when memory is allocated with SBA ( Small Block Allocator ) enabled. Any application which uses SBA, which allocates memory that is not a multiple of 8 bytes is likely to run into this problem. Any application which uses calloc() should apply this patch. Resolution: The previous version of calloc has been written in assembly for performance reasons. calloc() does nothing more than call malloc() and clear out the bytes. The 11.00 version of calloc(), which is written in C has been backported to 10.20. This will not be a performace issue, since all calloc does is call malloc() and memset() and both these routines are have good performance. JAGab03796; SR 5003457887 PHCO_17381: getcwd() was returning prematurely due to an incorrect check for whether the root directory has been reached in the case of a Loop Back File System (LOFS) and, consequently, returns incorrect results. Resolution: Changed getcwd() to compare the entire mystat structure for the current directory and its parent directory when determining if the root directory has been reached. The previous code only compares the inode and device numbers. This change ensures that cases where the inode and device numbers are the same for both the current and parent directory will be handled correctly. An example of this, prior to applying the fix to getcwd(), follows: # mount /stand /stand/lofs # cd /stand/lofs/build # pwd /build /* path obtained from getcwd() */ This is because the inode and device numbers for lofs and stand are the same: build: {ino = 4226; dev = 0x40000001; fstype = lofs; fsid = 0xff000004} lofs: {ino = 5376; dev = 0x40000001; fstype = lofs; fsid = 0xff000004} stand: {ino = 5376; dev = 0x40000001; fstype = ufs; fsid = 0 } /: {ino = 2; dev = 0x40000001; fstype = ufs; fsid = 0 } JAGaa62640 JAGaa86038 JAGaa86039; SR 4701414862 strftime() returns two different week numbers for %V for days in a week which contains days in the previous year and the new year. The week number returned for days in the previous year is either 52 or 53. The week number returned for days in the new year is 1 if there are four or more days in the new year in that week; otherwise, it is 53, regardless of whether the last week of the previous year is 52 or 53. The week number should be the same for all days in any week. Resolution: Changed strftime() to return the same week number for all days in a week which contains days in the previous year and the new year. If there are less than 4 days in the new year, return the week number of the last week of the previous year; otherwise, return 1. JAGaa93337 JAGaa93338 JAGaa93339; SR 1653245415 innetgr() evaluates hostname case-sensitive. Resolution: in innetgr(), change strcmp to strcasecmp when comparing machine names from input and yp database. JAGaa24139; SR 5003407569 asctime(3C) breaks at 2100 Resolution: The problem was already addressed in 11.0. Backported the code from 11.0 to 10.20 and 10.10 patch branches. JAGaa55561 An unitialized variable was being free-ed. Resolution: The problem was resolved by reseting a pointer to NULL when a call to yp_next() fails. JAGaa57250 PHCO_16723: When the corefile generated by abort(3C) is read by DDE, one of the things it checks in the stackUnwindDescriptor is if the frame where the PC is is an alloca frame. If it is an alloca frame, it needs to find the StackPointer in gr3. It will then check all the frames more recent than the one where it found the alloca frame to see if any procedure saved off the callee save registers. If no frame saved them, it will use the gr3 found in the save_state. Note that the callee saved register are not saved into the save_state in syscallinit unless the process is being traced. The calling convention only requires a callee saved register to be written to the stack if a function would modify it. Hence, in the normal path of a system call, the user register content may not be written out to the stack at all; it could only be saved at context switch, or it might be saved/restored on a kernel stack at the entry/exit of a function that modifies the register. What appears to be happening is the callee saves are not preserved when we enter the syscall _kill(). Resolution: Libc API abort(3C) can save the callee save registers when entering this procedure. An assembly wrapper is applied to the existing abort(3C) module that explicitly saves the callee save registers. JAGaa43927; SR 5003443143. mktime() ignores tm_isdst if a previous TZ value had no dayl. sav. time Resolution: When the mktime() is invoked with different TZ environment variables, a static local buffer "tzbuf" is used in localtime_r() in ctime.c to store the time zone name (For ex: PSD8PDT, UTC0 etc..). mktime() looks at /usr/lib/tztab file for getting the information on day night savings for the set time zone. The idea behind using the static buffer is to avoid reopening of the file /usr/lib/tztab if its already processed. However, if there is a change in timezone in between, the file should be reparsed. this was not happening for the test case. ctime is modified to check whether the TZ environment variable has changed and if so, the TZ variable is copied before further processing takes place JAGaa44810; SR 5003444117 When a customer has a vxfs file system and he does a bdf on that file system, he will get different results depending on whether the argument passed to bdf is a mount point or a device file. For example: If I have a file system /dev/vg00/lvol9 mounted on /mnt and I do a bdf -i /mnt /dev/vg00/lvol9 I get the following: # bdf -i /mnt /dev/vg00/lvol9 Filesystem kbytes used avail %used iused ifree %iuse Mounted on /dev/vg00/lvol9 204800 3232 188999 2% 657 50387 1% /mnt /dev/vg00/lvol9 204800 3232 201560 2% 800 0 100% /mnt The problem is that when a mount point is given as an argument to bdf, the kernel call statvfs() is used. When a device file is given to bdf, the libc call statvfsdev() is used (and it ultimately calls __fstatvxfs()). These routines do essentially the same thing, but one operates on a mounted file system and the other operates on a device file. When a change is made to the kernel routine and not the libc routine, problems like this are encountered. Resolution: This problem should be solved by keeping the __fstatvxfs() routine in sync with statvfs(2). Statvfs(2) returns information on a mounted file system, statvfsdev(3C) returns information on a file system whether or not it is mounted. Either way, they should return the same info on a given file system. If statvfs() is changed, the same change may be required in __fstatvxfs(). The code for __fstatvxfs() is almost a copy of that for vx_statvfs() in the kernel the main difference being the former retrieves information from the super-block whereas the latter gets it from in-core structures. Therefore, the values returned by the two calls may be slightly different for certain members in the statvfs structure (such as f_bavail and f_files), as the in-core structures may not have been flushed to disk yet when those values are read. This problem is being resolved by bringing the __fstatvxfs() routine up to date with the statvfs(2) routine. DSDe443933; SR 1653252635 The problem was caused by excessive locking of /etc/mnttab in the getmntent(3X) family of APIs, and by incorrect use of the getmntent(3X) APIs by commands such as mount(1M) and umount(1M). Resolution: In the patch, setmntent(3X) no longer uses a read lock when opening the mnttab file, and a new API, delmntent(3X), has been developed for use by commands that delete entries from the mnttab file. Use of this patch will avoid a possible deadlock situation during concurrent invocations of mount(1M) or other commands that write to or read from /etc/mnttab. Excerpts From the Changed getmntent(3X) Man Page: int delmntent(FILE *stream, struct mntent *mnt); DESCRIPTION delmntent() Deletes all entries from the file stream opened with setmntent that match both mnt_fsname and mnt_dir in mntent structure mnt. If mnt_fsname is a null pointer, all entries that match mnt_dir will be deleted. If mnt_dir is a null pointer, all entries that match mnt_fsname will be deleted. It is an error if both mnt_fsname and mnt_dir are null pointers. Note that stream must be opened via setmntent for reading and writing (r+ or a+). Upon return from the call to delmntent, the file position indicator for the stream will point to EOF. RETURN VALUE setmntent() Returns a null pointer on error. setmntent() attempts to establish an exclusive write lock on the file it is opening, ie: when one of the following types is passed to setmntent() to open the file for write/update: "w", "a", "r+", "w+", or "a+". If setmntent() cannot get the lock, it returns a null pointer and sets errno to either EACESS or EAGAIN. delmntent() Returns -1 on error. Sets errno to EINVAL if stream or mnt are null pointers, or if both mnt_fsname and mnt_dir in mntent structure mnt are null pointers. Sets errno to EBADF if stream has been opened for read (r), append (a), or write (w). If the operation is successful, returns the number of entries deleted from the file. When no entries are matched, delmntent returns 0 and does not set errno. endmntent() Returns 1, and unlocks the file if it was locked by setmntent(). EXAMPLES The following code deletes an entry: struct mntent mnt_entry; FILE *fp; int retval = NOT_DELETED; mnt_entry.mnt_fsname = "/dev/vg03/lvol7"; mnt_entry.mnt_dir = "/disk7"; if ((fp = setmntent(MNT_MNTTAB, "r+")) != NULL) { if (delmntent(fp, &mnt_entry) > 0) retval = DELETED; (void)endmntent(fp); } return(retval); JAGaa44899 memcmp() does not perform well when static branch prediction is enabled on executables due to branches being misprediced . This is a performance hit when memcmp is called a lot of times in executables. memchr() causes stack overflow problems when large values are passed in in the length parameter of the routine. The routine also does not perform well when static branch prediction is enabled on executables. memcmp, memchr perform 64 bit compare operations on 32 bit operands passed as parameters to these routines. This could cause problems if the upper 32 bits are contain random values. Resolution: The fix for memcmp() improves the performance of this routine when run on PA8000 machines with static branch prediction turned on. The fix for memchr() allows it to handle large values passed in "count" (the third parameter) of this routine. This used to cause stack overflow problems earlier. The performance of this routine has been improved when run with static branch prediction enabled on PA8000 machines. JAGaa13890, JAGaa41144, JAGaa41248 mktime() always returns 0 for tm_isdst, regardless of whether daylight savings is in effect for dates beyond Tuesday January 19 03:14:07 UTC 2038. Since strptime() obtains this value from mktime(), it also returns the incorrect value for tm_isdst for those dates. Resolution: There is no timezone adjustment rule for years past 2038 that can be used to corectly determine the value of tm_isdst. To work around this for now, the rule for the year 2038 is used for those years. JAGaa16206, SR 4701405688, JAGaa23230 SR 4701405696, JAGaa23233 SR 4701405720 strptime() needs to check if the return value of mktime() is within the range of seconds that it supports because mktime() supports a much wider range of dates than strptime() in 64-bit mode. Resolution: strptime() was modified to check the return value of mktime() to determine if the input date is within the supported range, which is Friday December 13 20:45:52 UTC 1901 and Friday December 31 23:59:59 UTC 9999. JAGaa23231 SR 4701405704, JAGaa23232 SR 4701405712 PHCO_16303: HP-UX enforces that variable lengthes should not exceed 1024. In catopen(3C), the string that represents the variable LANG was strcpy'ed into a buffer with a fixed size MAXPATHLEN (1024). This caused coredump when strlen(LANG) is longer than 1024. JAGaa01290 The behavior of strcoll will be incorrect for European languages in rare cases. JAGaa13917 setlocale() performance is unacceptable for applications that need frequent calls to this function. JAGaa01275; SR 1653242669 setlocale() 9.X compatibility is broken for restore operation. JAGaa12729 setlocale() leaks memory when used to switch bwtween some multi- and single- byte locales JAGaa13318 When/if there's a possibility to introduce a new iconv conversion table whose size is larger than 2^15 * 8 bytes, iconv() could fail. JAGaa14162 PHCO_16302: If old 10.20 locale which uses multi-byte routines is used and it has collating element e.g. spanish, strcoll and wcscoll will not perform correctly. JAGaa18768, JAGaa18769 strptime(3C) returns an error when the %E conversion specification is used in the C locale. It does not fill in the tm_wday, tm_mon and tm_mday fields in the tm structure when both the year and day of year are supplied. It does not support dates beyond January 19 UTC 2038 in 32-bit HP-UX. It does not indicate an error when a date that is out-of-range or inconsistent input is provided. The resulting values of tm_wday and tm_yday are off by 1 when tm_sec and/or tm_min are initialized to -1 when the %j conversion specification is used. JAGaa06544; SR 5003416719 strptime() returns the same values for the tm_mday, tm_mon, tm_yday and tm_wday fields in the tm structure for Feb 29 2000 and March 1 2000 if %A (or %a) and %U conversion specifications are used. The output for March 1 2000 is incorrect. JAGaa13581; SR 1653269738 PHCO_15808: strptime(3C) returns an error when the %E directive is used in the C locale. It does not fill in the tm_wday, tm_mon and tm_mday fields in the tm structure when both the year and day of year are supplied. It does not support dates beyond January 19 UTC 2038 in 32-bit HP-UX. It does not indicate an error when a date that is out-of-range or inconsistent input is provided. JAGaa06544 PHCO_15807: yp_all() which is called by ypcat, frees it's UDP client handle and create a TCP client handle to make a request. It mistakenly uses the released UDP client handle to open message catalog for an unsuccessful TCP clnt_call() and causes core dumps. INDaa30924; SR 5003423871 Unable to get a stack trace if failing in memmove or strcat JAGaa05200 Unlike other memory/string assembly routines, strncpy() doesn't take advantage of PA2.0 instruction sets where available. JAGaa10942 getenv runs very slow for multi-byte languages like ja_JP.SJIS. The performance for single-byte languages is as good as C locale. JAGaa05075; SR 1653259333 Functions 'compile', 'step' and 'advance' in /usr/include/regexp.h had no corresponding ANSI or C++ definitions. JAGaa08066; SR 1653261131 The CONCAT macro in inttypes.h returns an incorrect value in C++ applications. JAGaa00515 C++ applications are not able to use __tolower() and __toupper() because the function prototype for those functions are not available. JAGaa05224, JAGaa06023; SR 4701389932 4701390138 A call to getcwd() will fail if the root file system is a loopback file system. This will not normally be the case, but if chroot() has been called to set the root directory, then this could be a loopback file system (LOFS). A specific example of this is when the anonymous ftp home directory is a LOFS as ftpd will then use chroot() and can report: 550 getcwd: No such file or directory JAGaa11165, JAGaa01441, JAGaa05219, JAGaa06021; SR 4701394395 4701382374 4701389916 4701390120 getdate() fails to find a matching template when %r is used in a template and there is at least one other template that contains %H or %R, even though a matching template exist. It also returns an error if a template contains %I but not %p and a matching template exists. JAGaa00429, JAGaa10165, JAGaa10166, JAGaa10167, JAGaa10168, JAGaa05222, JAGaa10164, JAGaa10163, JAGaa08067, JAGaa10158, JAGaa12392; SR 4701392977 4701392969 1653261081 4701392928 4701394650 C++ applications fail to compile if they call one of setspwent(), endspwent(), putpwent(), setspwent_r() and endspwent_r() because the function prototype for those functions are not available. In alarm.h, alsgtty is defined to be a "struct sgtty", which does not exist. JAGaa00526; SR 1653219691 InK&R mode, dividing UINT_MAX or ULONG_MAX by a signed integer produces a result of 0 because the constants are not being cast to "unsigned int" and "unsigned long", respectively. JAGaa01184 Once all the reserved UDP ports are consumed,then each process or users application that needs a reserved UDP port has to wait until one is available. INDaa30842; SR 5003422337 PHCO_15465: bsearch() spends a lot of time in div and mul mill-code routines for benchmark. It is not acceptable for customers. JAGaa01793 strncmp() can be much faster for short strings (less than or equal to 8 bytes) comparison if they are trated separately. JAGaa08219 strncpy() is currently implemented in C. It's performance is not acceptable for customers. JAGaa08100 syslog() uses signal() internally instead of sigaction() to ignore the SIGPIPE signal. JAGaa08180 PHCO_15153: Commands dump core if LC_COLLATE is set to non C locale but LC_CTYPE is set to C locale. If there is no difference between LC_COLLATE and LC_CTYPE, threre is no problem. JAGaa01685 scandir(3C) causes core dump when 130 entries or more are in a directory.Occurs only with non System V file systems, mounted as a networked file system on HP-UX. JAGaa01938 Installation of PHCO_14891 or PHCO_14868 causes Purify to report errors on strchr(). This was caused by a backwards branch in the assembly code. JAGaa07513 The defect is that getmntent(3X) returns incomplete mntent structure when the current position in mount table files has reached the end of 8k buffer boundary. When applications try to access data using incomplete entries in the mntent structure, they core dump with Memory fault. JAGaa04833; SR 5003415513 PHCO_14891: iconv() is unacceptably slow. JAGaa04914; SR 4701389551 dial() was missing the required ioctl to notify the datakit driver to set receive mode DIOCRMODE for CommKit 3.2. It appears that this ioctl was deleted from a previous version of dial() because CommKit 4.0 no longer required it. However, this "broke" proper dial access to CommKit 3.2. JAGaa04785; SR 4701388215 PHCO_14868: gets() can fail to release a lock after encountering an EOF condition. This will cause another thread in the application doing an i/o operation on stdin to hang, leading potentially to an application deadlock. JAGaa01903; SR 5003394833 The correct behavior should be as follows: When Null pointer was being passed as argument for fputs and puts, fputs should return 0 and write nothing to the file, puts should return 1 and write '\n' to stdout. The above behavior is now in 10.20, 10.30, 11.0, and 11.al, which is consistant with the pre-10.20 behavior. JAGaa01511 The previous syslog code, in some places, kept filling the buffers without checking for the buffer limits. Once the size of buffers were exceeded a core dump would occur. JAGaa01271 The ftw() call in libc can quickly use up all the open files a process is allowed because of a bug in the code. Ftw() uses an extra file descriptor everytime the function that is passed in to ftw() returns a nonzero value. So, the easiest way to see this problem is to call ftw() in a loop and pass in a function that always returns 1. Depending on the number of open files allowed for the process (usually it is 60) the ftw() call will fail when the open files are exhausted. JAGaa00531; SR 5003378869 A flag was set incorrectly which caused the "match end of line" not being recognized. Setting of the flag is corrected. JAGaa01206, JAGaa10953, JAG01952 mem and str assembly routines, right now, do not take advantage of PA2.0 instruction set. Also, other libc routines do not take advantage of PA1.1 instruction sets. JAGaa02105; SR Binary compatibility for 9.04 regexec() routine was removed in PHCO_13399. DSDe442382; SR 5003413042 A patch for the dbm libraries (libdbm.1 and libndbm.2) and libc has been created to increase performance of dbm_nextkey(). libdbm and libndbm are empty, and any dbm routines are resolved from libc. JAGaa01111, JAGaa1150; SR 5003392126 PHCO_14511: Whenever LANG is set to C and LC_COLLATE is set to non-C locale, strcoll() incorrectly assumes that it has been initialized, when this is not the case. DSDe442035 An internal function called by glob() attempts to free the same block twice.JAGaa01494 memccpy() doesn't detect the value of 0 at address 0. JAGaa01280 The defect was caused by copying one NULL string pointer to another without any checking. JAGaa01396, JAGaa01496, JAGaa01497 strptime(3C) does not calculate the week number correctly when the first day of the year is a Sunday or a Monday. JAGaa00976 SR 1653231456 PHCO_14199: There is a memory leak in endpwent() and setpwent() libc functions when they are run in NIS environments. The program size grows in 4k increments, for each endpwent() and setpwent() calls in NIS environment. The problem was introduced in cumulative libc patch PHCO_13029. It occurs for applications that 1) call fork and 2) implement their own version of the malloc functions. This problem is caused by linking with fork.o; all of the external symbols in malloc.o are imported, including the malloc functions such as malloc and free. This causes ld to find duplicate symbols, one for the application's own malloc function and one for the malloc function in malloc.o from libc.a. The patch should be installed if the symptoms occur when the application includes a call to fork(), yet the symptoms don't occur when the call to fork() is removed from the application. The APIs iconv_open(3C) and iconv_close(3C) didn't keep track of multiple uses of method. PHCO_13777: HP-UX enforces that variable lengths should not exceed 1024. In catopen(3C), the string that represents the variable LANG was strcpy'ed into a buffer with a fixed size MAXPATHLEN (1024). This caused coredump when strlen(LANG) is longer than 1024. getlogin(3) API in libc returns NULL when the tty is console. Hence the utilities like passwd print error messages when they use getlogin() API to access the login name of the user. When the memory buffer overflows while trying to encode too much data, the memory area gets shortened at each request eventually ging negatrequest eventually going negative. The pointer is not reset on error. PHCO_13775: In some corner cases a malloc(3c) internal error flag is not cleared. RPC internal function does not handle client creation properly if the server is off-line. New functionality to support networking features in 10.20. NIS uses dbm to to manage its data. Because of unlucky splitting, the '.pag' file has a large empty area which causes the NIS file transfer to fail because it takes longer than 25 seconds for dbm to get between keys. PHCO_13626: The performance of 10.20 strcoll is bad compared to 9.x for single byte locales because of a slow algorithm used for replacing 1 to 2 map characters. The size of the string, passed to perror, plus message was not checked and could have become larger than the size of the allocated output buffer. In such situations perror would have coredumped. Backlog limit for Listen() was set at 2 by default. Limit was increased to 20 via SOMAXCONN in sockets.h. PHCO_13399: Regular expression pattern matching is done through regcomp() and regexec() routines. These routines fail to match patterns correctly in the UTF8 locale environments. For eg. German locale de_DE.utf8. PHCO_13282: Case of calling dbm_nextkey() after the entire database has been traversed via dbm_firstkey() and dbm_nextkey() calls was not handled properly. PHCO_13189: The utmpx file contains an 8 character user name concatenated with 2 characters of device name. The implementation of the wcswidth(3c) API fails to comply with specification if the locale dependent version of wcswidth does not comply. PHCO_13029: NIS uses dbm to to manage its data. Because of unlucky splitting, the '.pag' file has a large empty area which causes the NIS file transfer to fail because it takes longer than 25 seconds for dbm to get between keys. The strcoll(3c) api for multi-byte was not optimized. PHCO_12673: awk and grep fail for certain regular expressions. PHCO_12448: The proper optimizations were not applied. This patch fixes the spanish locale collation problem for strcoll and strxfrm APIs caused by patch PHCO_12128. Signal mask was not restored for this corner case. The effective user and group id are set incorrectly in the call ruserok() when rlogind is invoked with an option "-l". PHCO_12128: If netgroups are nested this causes the NIS netgroup files to be recursively searched, causing poor performance. The API seekdir(3) is unable to position the next readdir(3) operation if the directory is on a 3rs party NFS server that returns a negative signed 32bit integer. Fix is made to readdir() not to call lseek(2) system call. This is a patch for performance problem reported for Spanish locales. The patch helps all single byte locales. A local data item was not being initialized properly. Incorrect internal buffer allocation can lead to an overlap between the stderr buffer and other internal buffers when files are opened for non-buffered i/o. Potential for data corruption/crashing in dbm_open is called with a filename which is too long. PHCO_11315: The trimming off of common prefix from string before collation causes problem in Spanish locale because it has 2 to 1 mapped collation element. e.g. "ch" should map after "co" but if common prefix "c" is removed, "h" will collate before "o" which is incorrect. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. PHCO_11004: Code which cleans up stdio streams did not handle read-only streams which were waiting indefinitely on a read. 1. The "rhosts" check fails if the parent directory of the user's home directory does not have the right group permissions. Consider the case where the parent directory has permissions "710". /home - permissions rwx--x--- /home/student - permissions rwx------ The directories home and student belong to the same group. The "rhosts" check fails when a remote user tries to login as "student". This is because, the ruserok() routine does not change the effective group id to the real group id before opening ".rhosts" file. 2. Usernames in the host.equiv file are improperly parsed. The ruserok() code now exhibits the expected and documented behavior. An incorrect setting of NLSPATH, eg. NLSPATH="/tmp" causes catopen() to leave open file descriptors behind. As a result, applications that frequently call catopen() with an incorrectly set NLSPATH can run out of file descriptors. NIS getservbyname() had a memory leak. strcat() prefetches word before doing shift and concatenation. A check for end of string should be performed before the prefetch since the prefetched word may be across the page boundary. This is now fixed. The non-C locale code continued to check beyond the terminating null character. In the C-locale with REG_NEWLINE set, the ^ case should continue checking the entire string in case there are newlines in the string. The leap year algorithm was incorrect for getdate(3c). The check for the range of the input date was in the wrong place. PHCO_10027: Unaccaptable degradation of collation using swedish language. Regular expression pattern ".*" behaves incorrectly in Japanese locale. memcmp tried to prefetch words from outside of valid memory page and this might cause memory core dumps. The prefetching of invalid memory words was caused by incorrect calculation of number of words to fetch and compare. This is fixed now. In a system with more than one set of locale libraries to be used by libc.1 and libc.2, libc.1 will use the wrong set of locale libraries for the C locale. libc.1 needs to be changed to use the locale libraries in the /usr/lib/nls/loc/locales.1 directory instead of /usr/lib/nls/loc/locales, which is a symbolic link to /usr/lib/nls/loc/locales.2 on a HP-UX 10.30 system. This patch is needed for an HP-UX 10.20 machine if that machine is being used to build applications which you intend to run on future releases of HP-UX. This patch is not needed for correct operation of programs on HP-UX 10.20 system, because /usr/lib/nls/loc/locales is a symbolic link to /usr/lib/nls/loc/locales.1. PHCO_9577: Problem is in yp_bind.c. The second function call to flock() has a syntax error in the parameter list. The first call to flock() is correct. When this command is given the second function call to flock() is in code which is only invoked when Talk2_binder() is called. Then it hangs. PHCO_8979: If you lock /etc/.pwd.lock using lckpwdf, there is no way to determine that it was unlock, because ulckpwdf always returns -1. Allocated memory was not properly free'd by globfree() after use. The day of the month was being improperly adjusted for the case when the day of the week matched today. Pattern map was set such that it would continue matching past end of pattern. The maximum number of message sets allowed in a message catalog was not high enough; it has been increased to 65535. The tempnam(), mktemp() and mkstemp() APIs did not check for a dangling symlink before returned it and this has been fixed now. The strptime and getdate calls were not consistent in the manner in which they handled two digit year specifications. res_init() leads to the processing of the ndots option. In processing the ndots value a routine was called that could generate a recursive loop back to res_init(). During the recursive loop a memory leak would be generated. The code has been redesigned to avoid this loop condition. When a very large template file is used, and the getdate() routine has to search far into the file to find a matching format specifier, getdate() overran the allocated array. PHCO_8764: The fix for strcat's page boundary problem caused truncation of some strings. PHCO_8108: Poor performance of 10.X regular expression processing in comparison to 9.X. The affected entry points were not exported properly. According to X/Open, getcwd takes a second argument of type of size_t and returns EINVAL only when the second argument is 0. memchr tries to read beyond end of valid memory when char is not found in thestring and may core dump. The strcat call didn't handle an optimized pre-fetching strategy properly, causing the read of bytes belonging to unmapped pages. SR: 8606104252 8606106102 4701389700 5003410290 5003424531 1653308684 4701428805 5003436923 5003465781 5003463463 5003459693 5003459735 5003422337 5003439299 4701413906 5003457887 4701414862 1653245415 5003407569 5003443143 5003444117 1653252635 4701405688 4701405696 4701405720 4701405704 4701405712 1653242669 1653269738 5003416719 5003423871 1653259333 1653261131 5003348011 4701389932 4701390138 4701394395 4701382374 4701389916 4701390120 4701392977 4701392969 1653261081 4701392928 4701394650 1653219691 5003422337 4701309294 1653155929 1653169615 5003338038 5003344192 1653185629 5003341271 1653189134 4701334763 5003320648 1653176883 1653192161 4701344721 1653211490 5003297861 5003274753 1653208355 5003358762 5003302299 1653204651 4701349118 1653203026 4701334763 1653214346 1653208355 1653215186 5003377606 5003355867 1653228304 1653119560 4701364653 5003392126 1653192724 4701374512 4701374470 1653214346 1653242040 4701378117 5003392126 5003380394 1653236562 5003395673 1653231456 5003413021 5003378869 5003394833 4701388462 4701389551 4701388215 5003411355 5003415513 5003419481 Patch Files: /usr/lib/libc.a /usr/lib/libp/libc.a /usr/lib/libpicc.a /usr/lib/libc.1 /usr/lib/year2000.o /usr/lib/libdbm.1 what(1) Output: /usr/lib/libc.a: PATCH-PHCO_20098 for 10.20; for 10.30, 11.x compatib ility libc.a_ID@@/main/r10dav/libc_dav/libc _dav_cpe/9 /ux/core/libs/libc/archive_pa1/libc.a_ID Oct 8 1999 10:25:55 /usr/lib/libp/libc.a: PATCH-PHCO_20098 for 10.20; for 10.30, 11.x compatib ility libc.a_ID@@/main/r10dav/libc_dav/libc _dav_cpe/9 /ux/core/libs/libc/profiled_pa1/libc.a_ID Oct 8 1999 10:50:57 /usr/lib/libpicc.a: PATCH-PHCO_20098 for 10.20; for 10.30, 11.x compatib ility libc.1_ID@@/main/r10dav/libc_dav/libc _dav_cpe/9 /ux/core/libs/libc/shared_pa1/libc.1_ID Oct 8 1999 10:40:40 /usr/lib/libc.1: PATCH-PHCO_20098 for 10.20; for 10.30, 11.x compatib ility libc.1_ID@@/main/r10dav/libc_dav/libc _dav_cpe/9 /ux/core/libs/libc/shared_pa1/libc.1_ID Oct 8 1999 10:39:52 /usr/lib/year2000.o: None /usr/lib/libdbm.1: Mar 10 1998 - Empty shared library cksum(1) Output: 3455488660 2456372 /usr/lib/libc.a 999241344 2641688 /usr/lib/libp/libc.a 753076376 2628582 /usr/lib/libpicc.a 2343188955 1863680 /usr/lib/libc.1 271691768 704 /usr/lib/year2000.o 3794055262 12292 /usr/lib/libdbm.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_8108 PHCO_8764 PHCO_8979 PHCO_9577 PHCO_10027 PHCO_11004 PHCO_11315 PHCO_12128 PHCO_12448 PHCO_12673 PHCO_13029 PHCO_13189 PHCO_13282 PHCO_13399 PHCO_13626 PHCO_13775 PHCO_13777 PHCO_14199 PHCO_14511 PHCO_14868 PHCO_14891 PHCO_15153 PHCO_15465 PHCO_15807 PHCO_15808 PHCO_16302 PHCO_16303 PHCO_16723 PHCO_17381 PHCO_18018 PHCO_18338 PHCO_18644 PHCO_19181 Equivalent Patches: None Patch Package Size: 9440 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_20098 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_20098.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_20098. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_20098.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_20098.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: If libc patches are installed without rebooting, applications currently running which are linked shared against libc will still continue using the former version of libc. If this presents a problem to any applications, you should reboot.