| Summary: | [PATCH] Bad behavior on disconnect | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> | |
| Component: | dtach | Assignee: | Lon Hohberger <lhh> | |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | jlieskov, lhh | |
| Target Milestone: | --- | Keywords: | Security | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 812552 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-27 10:03:51 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 812552, 835849 | |||
setting 'security' keyword because random stack data with potentially private information can be posted to public services (e.g. when running the irssi irc client in dtach). *** This bug has been marked as a duplicate of bug 835853 *** |
Description of problem: When client disconnects uncleanly, it might happen that an underlying read() operation returns with an error. This error was interpreted wrongly because the negative return value was assigned to a variable of unsigned type and being checked for <= 0. As this condition does not hold in error case, a packet with wrong len (255) was sent instead of aborting the client: | read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error) | write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 The server accepts this broken packet and puts random data (stack content) to the program: | read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 | write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255 For reference, the 'pkt' is defined as | struct packet | { | unsigned char type; | unsigned char len; | ... | } Version: dtach-0.8-5.fc15.x86_64