Bug 812551

Summary: [PATCH] Bad behavior on disconnect
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: dtachAssignee: Lon Hohberger <lhh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: jlieskov, lhh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 812552 (view as bug list) Environment:
Last Closed: 2012-06-27 10:03:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 812552, 835849    

Description Enrico Scholz 2012-04-14 19:14:00 UTC 
Description of problem:

When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error.  This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:

| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10


The server accepts this broken packet and puts random data (stack
content) to the program:

| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255


For reference, the 'pkt' is defined as

| struct packet
| {
| 	unsigned char type;
| 	unsigned char len;
| ...
| }


Version:

dtach-0.8-5.fc15.x86_64
Comment 1 Enrico Scholz 2012-04-14 19:16:22 UTC 
Upstream:

https://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
Comment 2 Enrico Scholz 2012-06-27 00:30:07 UTC 
setting 'security' keyword because random stack data with potentially private information can be posted to public services (e.g. when running the irssi irc client in dtach).
Comment 3 Jan Lieskovsky 2012-06-27 10:03:51 UTC 

*** This bug has been marked as a duplicate of bug 835853 ***